/mandos/trunk : revision 1197

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: teddy at recompile
Date: 2020-01-12 01:53:04 UTC
Revision ID: teddy@recompile.se-20200112015304-gqif9w4pbyix8w6b

mandos-ctl: Fix minor bug in tests

Fix two tests, the last assert of which would always erroneously
succeed.  (No change in non-test code needed.)

* mandos-ctl (Test_dbus_python_adapter_SystemBus): In the
  test_call_method_handles_exception() method, fix check for
  dbus.ConnectFailed exception.
  (Test_pydbus_adapter_SystemBus): - '' -

files added:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2016-03-05">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

152

169

brings up network interfaces, uses the interfaces’ IPv6

153

170

link-local addresses to get network connectivity, uses Zeroconf

154

171

to find servers on the local network, and communicates with

155

servers using TLS with an OpenPGP key to ensure authenticity and

156

confidentiality. This client program keeps running, trying all

157

servers on the network, until it receives a satisfactory reply

158

or a TERM signal. After all servers have been tried, all

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

159

176

servers are periodically retried. If no servers are found it

160

177

will wait indefinitely for new servers to appear.

161

178

</para>

305

322

</varlistentry>

306

323

307

324

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

308

353

<term><option>--priority=<replaceable

309

354

>STRING</replaceable></option></term>

310

355

320

365

<para>

321

366

Sets the number of bits to use for the prime number in the

322

367

TLS Diffie-Hellman key exchange. The default value is

323

selected automatically based on the OpenPGP key. Note

324

that if the <option>--dh-params</option> option is used,

325

the values from that file will be used instead.

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

326

372

</para>

327

373

</listitem>

328

374

</varlistentry>

479

525

<para>

480

526

This environment variable will be assumed to contain the

481

527

directory containing any helper executables. The use and

482

nature of these helper executables, if any, is

483

purposefully not documented.

528

nature of these helper executables, if any, is purposely

529

not documented.

484

530

</para>

485

531

</listitem>

486

532

</varlistentry>

680

726

</listitem>

681

727

</varlistentry>

682

728

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

683

743

<term><filename

684

744

class="directory">/lib/mandos/network-hooks.d</filename></term>

685

745

727

787

</informalexample>

728

788

729

789

<para>

730

Run in debug mode, and use a custom key:

790

Run in debug mode, and use custom keys:

731

791

</para>

732

792

<para>

733

793

734

794

735

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

736

796

737

797

</para>

738

798

</informalexample>

739

799

740

800

<para>

741

Run in debug mode, with a custom key, and do not use Zeroconf

801

Run in debug mode, with custom keys, and do not use Zeroconf

742

802

to locate a server; connect directly to the IPv6 link-local

743

803

address <quote><systemitem class="ipaddress"

744

804

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

747

807

<para>

748

808

749

809

750

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

751

811

752

812

</para>

753

813

</informalexample>

756

816

757

817

<title>SECURITY</title>

758

818

<para>

759

This program is set-uid to root, but will switch back to the

760

original (and presumably non-privileged) user and group after

761

bringing up the network interface.

819

This program assumes that it is set-uid to root, and will switch

820

back to the original (and presumably non-privileged) user and

821

group after bringing up the network interface.

762

822

</para>

763

823

<para>

764

824

To use this program for its intended purpose (see <xref

777

837

<para>

778

838

The only remaining weak point is that someone with physical

779

839

access to the client hard drive might turn off the client

780

computer, read the OpenPGP keys directly from the hard drive,

781

and communicate with the server. To safeguard against this, the

782

server is supposed to notice the client disappearing and stop

783

giving out the encrypted data. Therefore, it is important to

784

set the timeout and checker interval values tightly on the

785

server. See <citerefentry><refentrytitle

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

786

846

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

787

847

</para>

788

848

<para>

831

891

</varlistentry>

832

892

833

893

<term>

834

<ulink url="http://www.avahi.org/">Avahi</ulink>

894

<ulink url="https://www.avahi.org/">Avahi</ulink>

835

895

</term>

836

896

837

897

<para>

842

902

</varlistentry>

843

903

844

904

<term>

845

<ulink url="http://www.gnu.org/software/gnutls/"

846

>GnuTLS</ulink>

905

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

847

906

</term>

848

907

849

908

<para>

850

909

GnuTLS is the library this client uses to implement TLS for

851

910

communicating securely with the server, and at the same time

852

send the public OpenPGP key to the server.

911

send the public key to the server.

853

912

</para>

854

913

</listitem>

855

914

</varlistentry>

856

915

857

916

<term>

858

<ulink url="http://www.gnupg.org/related_software/gpgme/"

917

<ulink url="https://www.gnupg.org/related_software/gpgme/"

859

918

>GPGME</ulink>

860

919

</term>

861

920

899

958

</varlistentry>

900

959

901

960

<term>

902

RFC 4346: <citetitle>The Transport Layer Security (TLS)

903

Protocol Version 1.1</citetitle>

961

RFC 5246: <citetitle>The Transport Layer Security (TLS)

962

Protocol Version 1.2</citetitle>

904

963

</term>

905

964

906

965

<para>

907

TLS 1.1 is the protocol implemented by GnuTLS.

966

TLS 1.2 is the protocol implemented by GnuTLS.

908

967

</para>

909

968

</listitem>

910

969

</varlistentry>

921

980

</varlistentry>

922

981

923

982

<term>

924

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

925

998

Security</citetitle>

926

999

</term>

927

1000

928

1001

<para>

929

This is implemented by GnuTLS and used by this program so

930

that OpenPGP keys can be used.

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

931

1005

</para>

932

1006

</listitem>

933

1007

</varlistentry>

Older »