/mandos/trunk : revision 1194

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: teddy at recompile
Date: 2019-12-05 03:38:07 UTC
Revision ID: teddy@recompile.se-20191205033807-6awt45zpgp194vl1

http://bugs.debian.org/946006

From: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>

Add Dutch debconf translation

* debian/po/nl.po: New.

Acked-by: Teddy Hogeborn <teddy@recompile.se>

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

default-mandos

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

init.d-mandos

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<?xml version="1.0" encoding="UTF-8"?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-08-31">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for mandos

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

100

</group>

101

<sbr/>

102

<group>

113

114

</group>

115

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

116

113

<arg>

117

114

<option>--priority <replaceable>STRING</replaceable></option>

118

115

</arg>

122

119

</arg>

123

120

<sbr/>

124

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

127

</arg>

128

<sbr/>

129

<arg>

130

<option>--retry <replaceable>SECONDS</replaceable></option>

131

</arg>

132

<sbr/>

133

<arg>

134

<option>--network-hook-dir

135

136

</arg>

137

<sbr/>

138

<arg>

125

139

<option>--debug</option>

126

140

</arg>

127

141

</cmdsynopsis>

144

158

</group>

145

159

</cmdsynopsis>

146

160

</refsynopsisdiv>

147

161

148

162

149

163

<title>DESCRIPTION</title>

150

164

<para>

151

<command>&COMMANDNAME;</command> is a mandos plugin that works

152

like a client program that through avahi detects mandos servers,

153

sets up a gnutls connect and request a encrypted password. Any

154

passwords given is automaticly decrypted and passed to

155

cryptsetup.

165

<command>&COMMANDNAME;</command> is a client program that

166

communicates with <citerefentry><refentrytitle

167

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

168

to get a password. In slightly more detail, this client program

169

brings up network interfaces, uses the interfaces’ IPv6

170

link-local addresses to get network connectivity, uses Zeroconf

171

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

176

servers are periodically retried. If no servers are found it

177

will wait indefinitely for new servers to appear.

178

</para>

179

<para>

180

The network interfaces are selected like this: If any interfaces

181

are specified using the <option>--interface</option> option,

182

those interface are used. Otherwise,

183

<command>&COMMANDNAME;</command> will use all interfaces that

184

are not loopback interfaces, are not point-to-point interfaces,

185

are capable of broadcasting and do not have the NOARP flag (see

186

<citerefentry><refentrytitle>netdevice</refentrytitle>

187

<manvolnum>7</manvolnum></citerefentry>). (If the

188

<option>--connect</option> option is used, point-to-point

189

interfaces and non-broadcast interfaces are accepted.) If any

190

used interfaces are not up and running, they are first taken up

191

(and later taken down again on program exit).

192

</para>

193

<para>

194

Before network interfaces are selected, all <quote>network

195

hooks</quote> are run; see <xref linkend="network-hooks"/>.

196

</para>

197

<para>

198

This program is not meant to be run directly; it is really meant

199

to run as a plugin of the <application>Mandos</application>

200

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

201

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

202

initial <acronym>RAM</acronym> disk environment because it is

203

specified as a <quote>keyscript</quote> in the <citerefentry>

204

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

205

</citerefentry> file.

206

</para>

207

</refsect1>

208

209

210

<title>PURPOSE</title>

211

<para>

212

The purpose of this is to enable <emphasis>remote and unattended

213

rebooting</emphasis> of client host computer with an

214

<emphasis>encrypted root file system</emphasis>. See <xref

215

linkend="overview"/> for details.

156

216

</para>

157

217

</refsect1>

158

218

159

219

160

220

<title>OPTIONS</title>

161

221

<para>

162

Commonly not invoked as command lines but from configuration

163

file of plugin runner.

222

This program is commonly not invoked from the command line; it

223

is normally started by the <application>Mandos</application>

224

plugin runner, see <citerefentry><refentrytitle

225

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

226

</citerefentry>. Any command line options this program accepts

227

are therefore normally provided by the plugin runner, and not

228

directly.

164

229

</para>

165

230

166

231

167

232

168

233

<term><option>--connect=<replaceable

169

>IPADDR</replaceable><literal>:</literal><replaceable

234

>ADDRESS</replaceable><literal>:</literal><replaceable

170

235

>PORT</replaceable></option></term>

171

236

<term><option>-c

172

<replaceable>IPADDR</replaceable><literal>:</literal

237

<replaceable>ADDRESS</replaceable><literal>:</literal

173

238

><replaceable>PORT</replaceable></option></term>

174

239

175

240

<para>

176

Connect directly to a specified mandos server

241

Do not use Zeroconf to locate servers. Connect directly

242

to only one specified <application>Mandos</application>

243

server. Note that an IPv6 address has colon characters in

244

it, so the <emphasis>last</emphasis> colon character is

245

assumed to separate the address from the port number.

177

246

</para>

178

</listitem>

179

</varlistentry>

180

181

182

<term><option>--keydir=<replaceable

183

>DIRECTORY</replaceable></option></term>

184

<term><option>-d

185

<replaceable>DIRECTORY</replaceable></option></term>

186

187

247

<para>

188

Directory where the openpgp keyring is

248

Normally, Zeroconf would be used to locate Mandos servers,

249

in which case this option would only be used when testing

250

and debugging.

189

251

</para>

190

252

</listitem>

191

253

</varlistentry>

192

254

193

255

194

<term><option>--interface=

195

256

<term><option>--interface=<replaceable

257

>NAME</replaceable><arg rep='repeat'>,<replaceable

258

>NAME</replaceable></arg></option></term>

196

259

<term><option>-i

197

260

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

261

>NAME</replaceable></arg></option></term>

198

262

199

263

<para>

200

Interface that Avahi will connect through

264

Comma separated list of network interfaces that will be

265

brought up and scanned for Mandos servers to connect to.

266

The default is the empty string, which will automatically

267

use all appropriate interfaces.

268

</para>

269

<para>

270

If the <option>--connect</option> option is used, and

271

exactly one interface name is specified (except

272

<quote><literal>none</literal></quote>), this specifies

273

the interface to use to connect to the address given.

274

</para>

275

<para>

276

Note that since this program will normally run in the

277

initial RAM disk environment, the interface must be an

278

interface which exists at that stage. Thus, the interface

279

can normally not be a pseudo-interface such as

280

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

281

will not exist until much later in the boot process, and

282

can not be used by this program, unless created by a

283

<quote>network hook</quote> — see <xref

284

linkend="network-hooks"/>.

285

</para>

286

<para>

287

<replaceable>NAME</replaceable> can be the string

288

<quote><literal>none</literal></quote>; this will make

289

<command>&COMMANDNAME;</command> only bring up interfaces

290

specified <emphasis>before</emphasis> this string. This

291

is not recommended, and only meant for advanced users.

201

292

</para>

202

293

</listitem>

203

294

</varlistentry>

204

295

205

296

206

297

<term><option>--pubkey=<replaceable

207

298

>FILE</replaceable></option></term>

209

300

210

301

211

302

<para>

212

Public openpgp key for gnutls authentication

303

OpenPGP public key file name. The default name is

304

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

305

></quote>.

213

306

</para>

214

307

</listitem>

215

308

</varlistentry>

216

309

217

310

218

311

<term><option>--seckey=<replaceable

219

312

>FILE</replaceable></option></term>

221

314

222

315

223

316

<para>

224

Secret OpenPGP key for GnuTLS authentication

317

OpenPGP secret key file name. The default name is

318

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

319

></quote>.

225

320

</para>

226

321

</listitem>

227

322

</varlistentry>

228

323

229

324

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

230

353

<term><option>--priority=<replaceable

231

354

>STRING</replaceable></option></term>

232

355

233

<para>

234

GnuTLS priority

235

</para>

356

<xi:include href="../mandos-options.xml"

357

xpointer="priority"/>

236

358

</listitem>

237

359

</varlistentry>

238

360

239

361

240

362

<term><option>--dh-bits=<replaceable

241

363

>BITS</replaceable></option></term>

242

364

243

365

<para>

244

DH bits to use in gnutls communication

366

Sets the number of bits to use for the prime number in the

367

TLS Diffie-Hellman key exchange. The default value is

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--dh-params=<replaceable

378

>FILE</replaceable></option></term>

379

380

<para>

381

Specifies a PEM-encoded PKCS#3 file to read the parameters

382

needed by the TLS Diffie-Hellman key exchange from. If

383

this option is not given, or if the file for some reason

384

could not be used, the parameters will be generated on

385

startup, which will take some time and processing power.

386

Those using servers running under time, power or processor

387

constraints may want to generate such a file in advance

388

and use this option.

389

</para>

390

</listitem>

391

</varlistentry>

392

393

394

<term><option>--delay=<replaceable

395

>SECONDS</replaceable></option></term>

396

397

<para>

398

After bringing a network interface up, the program waits

399

for the interface to arrive in a <quote>running</quote>

400

state before proceeding. During this time, the kernel log

401

level will be lowered to reduce clutter on the system

402

console, alleviating any other plugins which might be

403

using the system console. This option sets the upper

404

limit of seconds to wait. The default is 2.5 seconds.

405

</para>

406

</listitem>

407

</varlistentry>

408

409

410

<term><option>--retry=<replaceable

411

>SECONDS</replaceable></option></term>

412

413

<para>

414

All Mandos servers are tried repeatedly until a password

415

is received. This value specifies, in seconds, how long

416

between each successive try <emphasis>for the same

417

server</emphasis>. The default is 10 seconds.

418

</para>

419

</listitem>

420

</varlistentry>

421

422

423

<term><option>--network-hook-dir=<replaceable

424

>DIR</replaceable></option></term>

425

426

<para>

427

Network hook directory. The default directory is

428

<quote><filename class="directory"

429

>/lib/mandos/network-hooks.d</filename></quote>.

245

430

</para>

246

431

</listitem>

247

432

</varlistentry>

250

435

<term><option>--debug</option></term>

251

436

252

437

<para>

253

Debug mode

438

Enable debug mode. This will enable a lot of output to

439

standard error about what the program is doing. The

440

program will still perform all other functions normally.

441

</para>

442

<para>

443

It will also enable debug mode in the Avahi and GnuTLS

444

libraries, making them print large amounts of debugging

445

output.

254

446

</para>

255

447

</listitem>

256

448

</varlistentry>

260

452

261

453

262

454

<para>

263

Gives a help message

455

Gives a help message about options and their meanings.

264

456

</para>

265

457

</listitem>

266

458

</varlistentry>

269

461

<term><option>--usage</option></term>

270

462

271

463

<para>

272

Gives a short usage message

464

Gives a short usage message.

273

465

</para>

274

466

</listitem>

275

467

</varlistentry>

276

468

277

469

278

470

<term><option>--version</option></term>

279

471

280

472

281

473

<para>

282

Prints the program version

474

Prints the program version.

283

475

</para>

284

476

</listitem>

285

477

</varlistentry>

286

478

</variablelist>

287

479

</refsect1>

288

480

481

482

<title>OVERVIEW</title>

483

<xi:include href="../overview.xml"/>

484

<para>

485

This program is the client part. It is a plugin started by

486

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

487

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

488

an initial <acronym>RAM</acronym> disk environment.

489

</para>

490

<para>

491

This program could, theoretically, be used as a keyscript in

492

<filename>/etc/crypttab</filename>, but it would then be

493

impossible to enter a password for the encrypted root disk at

494

the console, since this program does not read from the console

495

at all. This is why a separate plugin runner (<citerefentry>

496

<refentrytitle>plugin-runner</refentrytitle>

497

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

498

both this program and others in in parallel,

499

<emphasis>one</emphasis> of which (<citerefentry>

500

<refentrytitle>password-prompt</refentrytitle>

501

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

502

passwords on the system console.

503

</para>

504

</refsect1>

505

289

506

290

507

<title>EXIT STATUS</title>

291

508

<para>

509

This program will exit with a successful (zero) exit status if a

510

server could be found and the password received from it could be

511

successfully decrypted and output on standard output. The

512

program will exit with a non-zero exit status only if a critical

513

error occurs. Otherwise, it will forever connect to any

514

discovered <application>Mandos</application> servers, trying to

515

get a decryptable password and print it.

292

516

</para>

293

517

</refsect1>

294

518

295

519

296

520

<title>ENVIRONMENT</title>

297

<para>

298

</para>

299

</refsect1>

300

301

521

522

523

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

524

525

<para>

526

This environment variable will be assumed to contain the

527

directory containing any helper executables. The use and

528

nature of these helper executables, if any, is purposely

529

not documented.

530

</para>

531

</listitem>

532

</varlistentry>

533

</variablelist>

534

<para>

535

This program does not use any other environment variables, not

536

even the ones provided by <citerefentry><refentrytitle

537

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

538

</citerefentry>.

539

</para>

540

</refsect1>

541

542

543

<title>NETWORK HOOKS</title>

544

<para>

545

If a network interface like a bridge or tunnel is required to

546

find a Mandos server, this requires the interface to be up and

547

running before <command>&COMMANDNAME;</command> starts looking

548

for Mandos servers. This can be accomplished by creating a

549

<quote>network hook</quote> program, and placing it in a special

550

directory.

551

</para>

552

<para>

553

Before the network is used (and again before program exit), any

554

runnable programs found in the network hook directory are run

555

with the argument <quote><literal>start</literal></quote> or

556

<quote><literal>stop</literal></quote>. This should bring up or

557

down, respectively, any network interface which

558

<command>&COMMANDNAME;</command> should use.

559

</para>

560

561

<title>REQUIREMENTS</title>

562

<para>

563

A network hook must be an executable file, and its name must

564

consist entirely of upper and lower case letters, digits,

565

underscores, periods, and hyphens.

566

</para>

567

<para>

568

A network hook will receive one argument, which can be one of

569

the following:

570

</para>

571

572

573

<term><literal>start</literal></term>

574

575

<para>

576

This should make the network hook create (if necessary)

577

and bring up a network interface.

578

</para>

579

</listitem>

580

</varlistentry>

581

582

583

584

<para>

585

This should make the network hook take down a network

586

interface, and delete it if it did not exist previously.

587

</para>

588

</listitem>

589

</varlistentry>

590

591

<term><literal>files</literal></term>

592

593

<para>

594

This should make the network hook print, <emphasis>one

595

file per line</emphasis>, all the files needed for it to

596

run. (These files will be copied into the initial RAM

597

filesystem.) Typical use is for a network hook which is

598

a shell script to print its needed binaries.

599

</para>

600

<para>

601

It is not necessary to print any non-executable files

602

already in the network hook directory, these will be

603

copied implicitly if they otherwise satisfy the name

604

requirements.

605

</para>

606

</listitem>

607

</varlistentry>

608

609

<term><literal>modules</literal></term>

610

611

<para>

612

This should make the network hook print, <emphasis>on

613

separate lines</emphasis>, all the kernel modules needed

614

for it to run. (These modules will be copied into the

615

initial RAM filesystem.) For instance, a tunnel

616

interface needs the

617

<quote><literal>tun</literal></quote> module.

618

</para>

619

</listitem>

620

</varlistentry>

621

</variablelist>

622

<para>

623

The network hook will be provided with a number of environment

624

variables:

625

</para>

626

627

628

<term><envar>MANDOSNETHOOKDIR</envar></term>

629

630

<para>

631

The network hook directory, specified to

632

<command>&COMMANDNAME;</command> by the

633

<option>--network-hook-dir</option> option. Note: this

634

should <emphasis>always</emphasis> be used by the

635

network hook to refer to itself or any files in the hook

636

directory it may require.

637

</para>

638

</listitem>

639

</varlistentry>

640

641

<term><envar>DEVICE</envar></term>

642

643

<para>

644

The network interfaces, as specified to

645

<command>&COMMANDNAME;</command> by the

646

<option>--interface</option> option, combined to one

647

string and separated by commas. If this is set, and

648

does not contain the interface a hook will bring up,

649

there is no reason for a hook to continue.

650

</para>

651

</listitem>

652

</varlistentry>

653

654

655

656

<para>

657

This will be the same as the first argument;

658

i.e. <quote><literal>start</literal></quote>,

659

<quote><literal>stop</literal></quote>,

660

<quote><literal>files</literal></quote>, or

661

<quote><literal>modules</literal></quote>.

662

</para>

663

</listitem>

664

</varlistentry>

665

666

<term><envar>VERBOSITY</envar></term>

667

668

<para>

669

This will be the <quote><literal>1</literal></quote> if

670

the <option>--debug</option> option is passed to

671

<command>&COMMANDNAME;</command>, otherwise

672

<quote><literal>0</literal></quote>.

673

</para>

674

</listitem>

675

</varlistentry>

676

677

<term><envar>DELAY</envar></term>

678

679

<para>

680

This will be the same as the <option>--delay</option>

681

option passed to <command>&COMMANDNAME;</command>. Is

682

only set if <envar>MODE</envar> is

683

<quote><literal>start</literal></quote> or

684

<quote><literal>stop</literal></quote>.

685

</para>

686

</listitem>

687

</varlistentry>

688

689

<term><envar>CONNECT</envar></term>

690

691

<para>

692

This will be the same as the <option>--connect</option>

693

option passed to <command>&COMMANDNAME;</command>. Is

694

only set if <option>--connect</option> is passed and

695

<envar>MODE</envar> is

696

<quote><literal>start</literal></quote> or

697

<quote><literal>stop</literal></quote>.

698

</para>

699

</listitem>

700

</varlistentry>

701

</variablelist>

702

<para>

703

A hook may not read from standard input, and should be

704

restrictive in printing to standard output or standard error

705

unless <varname>VERBOSITY</varname> is

706

<quote><literal>1</literal></quote>.

707

</para>

708

</refsect2>

709

</refsect1>

710

711

302

712

<title>FILES</title>

303

<para>

304

</para>

713

714

715

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

716

></term>

717

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

718

></term>

719

720

<para>

721

OpenPGP public and private key files, in <quote>ASCII

722

Armor</quote> format. These are the default file names,

723

they can be changed with the <option>--pubkey</option> and

724

<option>--seckey</option> options.

725

</para>

726

</listitem>

727

</varlistentry>

728

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

743

<term><filename

744

class="directory">/lib/mandos/network-hooks.d</filename></term>

745

746

<para>

747

Directory where network hooks are located. Change this

748

with the <option>--network-hook-dir</option> option. See

749

<xref linkend="network-hooks"/>.

750

</para>

751

</listitem>

752

</varlistentry>

753

</variablelist>

305

754

</refsect1>

306

755

307

756

308

757

309

<para>

310

</para>

758

<xi:include href="../bugs.xml"/>

311

759

</refsect1>

312

760

313

761

314

762

<title>EXAMPLE</title>

315

763

<para>

764

Note that normally, command line options will not be given

765

directly, but via options for the Mandos <citerefentry

766

><refentrytitle>plugin-runner</refentrytitle>

767

<manvolnum>8mandos</manvolnum></citerefentry>.

316

768

</para>

769

770

<para>

771

Normal invocation needs no options, if the network interfaces

772

can be automatically determined:

773

</para>

774

<para>

775

<userinput>&COMMANDNAME;</userinput>

776

</para>

777

</informalexample>

778

779

<para>

780

Search for Mandos servers (and connect to them) using one

781

specific interface:

782

</para>

783

<para>

784

785

<userinput>&COMMANDNAME; --interface eth1</userinput>

786

</para>

787

</informalexample>

788

789

<para>

790

Run in debug mode, and use custom keys:

791

</para>

792

<para>

793

794

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

796

797

</para>

798

</informalexample>

799

800

<para>

801

Run in debug mode, with custom keys, and do not use Zeroconf

802

to locate a server; connect directly to the IPv6 link-local

803

address <quote><systemitem class="ipaddress"

804

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

805

using interface eth2:

806

</para>

807

<para>

808

809

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

811

812

</para>

813

</informalexample>

317

814

</refsect1>

318

815

319

816

320

817

<title>SECURITY</title>

321

818

<para>

819

This program assumes that it is set-uid to root, and will switch

820

back to the original (and presumably non-privileged) user and

821

group after bringing up the network interface.

822

</para>

823

<para>

824

To use this program for its intended purpose (see <xref

825

linkend="purpose"/>), the password for the root file system will

826

have to be given out to be stored in a server computer, after

827

having been encrypted using an OpenPGP key. This encrypted data

828

which will be stored in a server can only be decrypted by the

829

OpenPGP key, and the data will only be given out to those

830

clients who can prove they actually have that key. This key,

831

however, is stored unencrypted on the client side in its initial

832

<acronym>RAM</acronym> disk image file system. This is normally

833

readable by all, but this is normally fixed during installation

834

of this program; file permissions are set so that no-one is able

835

to read that file.

836

</para>

837

<para>

838

The only remaining weak point is that someone with physical

839

access to the client hard drive might turn off the client

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

846

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

847

</para>

848

<para>

849

It will also help if the checker program on the server is

850

configured to request something from the client which can not be

851

spoofed by someone else on the network, like SSH server key

852

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

853

echo (<quote>ping</quote>) replies.

854

</para>

855

<para>

856

<emphasis>Note</emphasis>: This makes it completely insecure to

857

have <application >Mandos</application> clients which dual-boot

858

to another operating system which is <emphasis>not</emphasis>

859

trusted to keep the initial <acronym>RAM</acronym> disk image

860

confidential.

322

861

</para>

323

862

</refsect1>

324

863

325

864

326

865

327

866

<para>

867

<citerefentry><refentrytitle>intro</refentrytitle>

868

<manvolnum>8mandos</manvolnum></citerefentry>,

869

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

870

<manvolnum>8</manvolnum></citerefentry>,

871

<citerefentry><refentrytitle>crypttab</refentrytitle>

872

<manvolnum>5</manvolnum></citerefentry>,

328

873

<citerefentry><refentrytitle>mandos</refentrytitle>

329

874

<manvolnum>8</manvolnum></citerefentry>,

330

875

<citerefentry><refentrytitle>password-prompt</refentrytitle>

332

877

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

333

878

<manvolnum>8mandos</manvolnum></citerefentry>

334

879

</para>

335

336

337

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

338

</para></listitem>

339

340

341

<ulink url="http://www.avahi.org/">Avahi</ulink>

342

</para></listitem>

343

344

345

<ulink

346

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

347

</para></listitem>

348

349

350

<ulink

351

url="http://www.gnupg.org/related_software/gpgme/">

352

GPGME</ulink>

353

</para></listitem>

354

355

356

<citation>RFC 4880: <citetitle>OpenPGP Message

357

Format</citetitle></citation>

358

</para></listitem>

359

360

361

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

362

Transport Layer Security</citetitle></citation>

363

</para></listitem>

364

365

366

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

367

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

368

Unicast Addresses</citation>

369

</para></listitem>

370

</itemizedlist>

880

881

882

<term>

883

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

884

</term>

885

886

<para>

887

Zeroconf is the network protocol standard used for finding

888

Mandos servers on the local network.

889

</para>

890

</listitem>

891

</varlistentry>

892

893

<term>

894

<ulink url="https://www.avahi.org/">Avahi</ulink>

895

</term>

896

897

<para>

898

Avahi is the library this program calls to find Zeroconf

899

services.

900

</para>

901

</listitem>

902

</varlistentry>

903

904

<term>

905

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

906

</term>

907

908

<para>

909

GnuTLS is the library this client uses to implement TLS for

910

communicating securely with the server, and at the same time

911

send the public key to the server.

912

</para>

913

</listitem>

914

</varlistentry>

915

916

<term>

917

<ulink url="https://www.gnupg.org/related_software/gpgme/"

918

>GPGME</ulink>

919

</term>

920

921

<para>

922

GPGME is the library used to decrypt the OpenPGP data sent

923

by the server.

924

</para>

925

</listitem>

926

</varlistentry>

927

928

<term>

929

RFC 4291: <citetitle>IP Version 6 Addressing

930

Architecture</citetitle>

931

</term>

932

933

934

935

<term>Section 2.2: <citetitle>Text Representation of

936

Addresses</citetitle></term>

937

938

</varlistentry>

939

940

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

941

Address</citetitle></term>

942

943

</varlistentry>

944

945

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

946

Addresses</citetitle></term>

947

948

<para>

949

This client uses IPv6 link-local addresses, which are

950

immediately usable since a link-local addresses is

951

automatically assigned to a network interface when it

952

is brought up.

953

</para>

954

</listitem>

955

</varlistentry>

956

</variablelist>

957

</listitem>

958

</varlistentry>

959

960

<term>

961

RFC 5246: <citetitle>The Transport Layer Security (TLS)

962

Protocol Version 1.2</citetitle>

963

</term>

964

965

<para>

966

TLS 1.2 is the protocol implemented by GnuTLS.

967

</para>

968

</listitem>

969

</varlistentry>

970

971

<term>

972

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

973

</term>

974

975

<para>

976

The data received from the server is binary encrypted

977

OpenPGP data.

978

</para>

979

</listitem>

980

</varlistentry>

981

982

<term>

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

998

Security</citetitle>

999

</term>

1000

1001

<para>

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

1005

</para>

1006

</listitem>

1007

</varlistentry>

1008

</variablelist>

371

1009

</refsect1>

372

373

1010

</refentry>

1011

374

1012

375

1013

376

1014

Older »