/mandos/trunk : revision 12

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/usplash.xml

Committer: Teddy Hogeborn
Date: 2008-07-19 18:43:24 UTC
Revision ID: teddy@fukt.bsnet.se-20080719184324-iwhoa5in75xa0u2u

* mandos-clients.conf ([foo]/dn, [foo]/password, [braxen_client]/dn,
                       [braxen_client]/password): Removed.
  ([foo]/fingerprint, [braxen_client]/fingerprint): New.
  ([foo]/checker): New.
  ([foo]/secfile): New.
  ([braxen_client]/secret): New.

* server.py: New "--debug" option to set debug flag.  Removed "cert",
             "key", "ca", "crl", and "cred" variables.  Added default
             value for "checker" config file setting.  Do not pass
             credentials to IPv6_TCPServer constructor.
  (debug): New global debug flag.  Used by most debugging output code.
  (Client.__init__): Keyword argument "dn" replaced by "fingerprint",
                     "password" renamed to "secret", and "passfile"
                     renamed to "secfile".  New keyword argument
                     "checker". All callers changed.
  (Client.dn): Removed.
  (Client.fingerprint): New.
  (Client.password): Renamed to "secret"; all users changed.
  (Client.passfile): Renamed to "secfile"; all users changed.
  (Client.timeout, Client.interval): Changed to be properties; now
                                     automatically updates the
                                     "_timeout_milliseconds" and
                                     "_interval_milliseconds" values.
  (Client.timeout_milliseconds): Renamed to "_timeout_milliseconds".
  (Client.interval_milliseconds): Renamed to "_interval_milliseconds".
  (Client.check_command): New.
  (Client.start_checker): Use the new "check_command" attribute.
  (peer_certificate, fingerprint): New functions.

  (tcp_handler.handle): Use ClientSession with empty credentials
                        object instead of ServerSession.  Set gnutls
                        priority string.  Do not verify peer.  Use
                        fingerprint instead of DN when searching for
                        clients.  Bug fix: Loop sending data so even large
                        secret data strings are sent.
  (IPv6_TCPServer.credentials): Removed.
  (if_nametoindex): Do not import ctypes since that is now imported
                    globally.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

client.cpp

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-list

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/usplash.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "usplash">

<!ENTITY TIMESTAMP "2008-10-04">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

<refpurpose>Mandos plugin to use usplash to get a

password.</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

This program prompts for a password using <citerefentry>

<refentrytitle>usplash</refentrytitle><manvolnum>8</manvolnum>

</citerefentry> and outputs any given password to standard

output. If no <citerefentry><refentrytitle

>usplash</refentrytitle><manvolnum>8</manvolnum></citerefentry>

process can be found, this program will immediately exit with an

exit code indicating failure.

</para>

<para>

This program is not very useful on its own. This program is

really meant to run as a plugin in the <application

>Mandos</application> client-side system, where it is used as a

fallback and alternative to retrieving passwords from a

<application >Mandos</application> server.

</para>

<para>

If this program is killed (presumably by

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

<manvolnum>8mandos</manvolnum></citerefentry> because some other

plugin provided the password), it cannot tell <citerefentry>

<refentrytitle>usplash</refentrytitle><manvolnum>8</manvolnum>

</citerefentry> to abort requesting a password, because

<citerefentry><refentrytitle>usplash</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> does not support this.

Therefore, this program will then <emphasis>kill</emphasis> the

running <citerefentry><refentrytitle>usplash</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> process and start a

<emphasis>new</emphasis> one using the same command line

arguments as the old one was using.

</para>

</refsect1>

<title>OPTIONS</title>

<para>

This program takes no options.

</para>

</refsect1>

100

101

<title>EXIT STATUS</title>

102

<para>

103

If exit status is 0, the output from the program is the password

104

as it was read. Otherwise, if exit status is other than 0, the

105

program was interrupted or encountered an error, and any output

106

so far could be corrupt and/or truncated, and should therefore

107

be ignored.

108

</para>

109

</refsect1>

110

111

112

<title>ENVIRONMENT</title>

113

114

115

<term><envar>cryptsource</envar></term>

116

<term><envar>crypttarget</envar></term>

117

118

<para>

119

If set, these environment variables will be assumed to

120

contain the source device name and the target device

121

mapper name, respectively, and will be shown as part of

122

the prompt.

123

</para>

124

<para>

125

These variables will normally be inherited from

126

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

127

<manvolnum>8mandos</manvolnum></citerefentry>, which will

128

normally have inherited them from

129

<filename>/scripts/local-top/cryptroot</filename> in the

130

initial <acronym>RAM</acronym> disk environment, which will

131

have set them from parsing kernel arguments and

132

<filename>/conf/conf.d/cryptroot</filename> (also in the

133

initial RAM disk environment), which in turn will have been

134

created when the initial RAM disk image was created by

135

<filename

136

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

137

extracting the information of the root file system from

138

<filename >/etc/crypttab</filename>.

139

</para>

140

<para>

141

This behavior is meant to exactly mirror the behavior of

142

<command>askpass</command>, the default password prompter.

143

</para>

144

</listitem>

145

</varlistentry>

146

</variablelist>

147

</refsect1>

148

149

150

<title>FILES</title>

151

152

153

<term><filename>/dev/.initramfs/usplash_fifo</filename></term>

154

155

<para>

156

This is the <acronym>FIFO</acronym> to where this program

157

will write the commands for <citerefentry><refentrytitle

158

>usplash</refentrytitle><manvolnum>8</manvolnum>

159

</citerefentry>. See <citerefentry><refentrytitle

160

>fifo</refentrytitle><manvolnum>7</manvolnum>

161

</citerefentry>.

162

</para>

163

</listitem>

164

</varlistentry>

165

166

<term><filename>/dev/.initramfs/usplash_outfifo</filename></term>

167

168

<para>

169

This is the <acronym>FIFO</acronym> where this program

170

will read the password from <citerefentry><refentrytitle

171

>usplash</refentrytitle><manvolnum>8</manvolnum>

172

</citerefentry>. See <citerefentry><refentrytitle

173

>fifo</refentrytitle><manvolnum>7</manvolnum>

174

</citerefentry>.

175

</para>

176

</listitem>

177

</varlistentry>

178

179

180

181

<para>

182

To find the running <citerefentry><refentrytitle

183

>usplash</refentrytitle><manvolnum>8</manvolnum>

184

</citerefentry>, this directory will be searched for

185

numeric entries which will be assumed to be directories.

186

In all those directories, the <filename>exe</filename> and

187

<filename>cmdline</filename> entries will be used to

188

determine the name of the running binary, effective user

189

and group <abbrev>ID</abbrev>, and the command line

190

arguments. See <citerefentry><refentrytitle

191

>proc</refentrytitle><manvolnum>5</manvolnum>

192

</citerefentry>.

193

</para>

194

</listitem>

195

</varlistentry>

196

197

<term><filename>/sbin/usplash</filename></term>

198

199

<para>

200

This is the name of the binary which will be searched for

201

in the process list. See <citerefentry><refentrytitle

202

>usplash</refentrytitle><manvolnum>8</manvolnum>

203

</citerefentry>.

204

</para>

205

</listitem>

206

</varlistentry>

207

</variablelist>

208

</refsect1>

209

210

211

212

<para>

213

Killing <citerefentry><refentrytitle>usplash</refentrytitle>

214

<manvolnum>8</manvolnum></citerefentry> and starting a new one

215

is ugly, but necessary as long as it does not support aborting a

216

password request.

217

</para>

218

</refsect1>

219

220

221

<title>EXAMPLE</title>

222

<para>

223

Note that normally, this program will not be invoked directly,

224

but instead started by the Mandos <citerefentry><refentrytitle

225

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

226

</citerefentry>.

227

</para>

228

229

<para>

230

This program takes no options.

231

</para>

232

<para>

233

<userinput>&COMMANDNAME;</userinput>

234

</para>

235

</informalexample>

236

</refsect1>

237

238

239

<title>SECURITY</title>

240

<para>

241

If this program is killed by a signal, it will kill the process

242

<abbrev>ID</abbrev> which at the start of this program was

243

determined to run <citerefentry><refentrytitle

244

>usplash</refentrytitle><manvolnum>8</manvolnum></citerefentry>

245

as root (see also <xref linkend="files"/>). There is a very

246

slight risk that, in the time between those events, that process

247

<abbrev>ID</abbrev> was freed and then taken up by another

248

process; the wrong process would then be killed. Now, this

249

program can only be killed by the user who started it; see

250

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

251

<manvolnum>8mandos</manvolnum></citerefentry>. This program

252

should therefore be started by a completely separate

253

non-privileged user, and no other programs should be allowed to

254

run as that special user. This means that it is not recommended

255

to use the user "nobody" to start this program, as other

256

possibly less trusted programs could be running as "nobody", and

257

they would then be able to kill this program, triggering the

258

killing of the process <abbrev>ID</abbrev> which may or may not

259

be <citerefentry><refentrytitle>usplash</refentrytitle>

260

<manvolnum>8</manvolnum></citerefentry>.

261

</para>

262

<para>

263

The only other thing that could be considered worthy of note is

264

this: This program is meant to be run by <citerefentry>

265

<refentrytitle>plugin-runner</refentrytitle><manvolnum

266

>8mandos</manvolnum></citerefentry>, and will, when run

267

standalone, outside, in a normal environment, immediately output

268

on its standard output any presumably secret password it just

269

received. Therefore, when running this program standalone

270

(which should never normally be done), take care not to type in

271

any real secret password by force of habit, since it would then

272

immediately be shown as output.

273

</para>

274

</refsect1>

275

276

277

278

<para>

279

<citerefentry><refentrytitle>crypttab</refentrytitle>

280

<manvolnum>5</manvolnum></citerefentry>,

281

282

<manvolnum>7</manvolnum></citerefentry>,

283

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

284

<manvolnum>8mandos</manvolnum></citerefentry>,

285

286

<manvolnum>5</manvolnum></citerefentry>,

287

<citerefentry><refentrytitle>usplash</refentrytitle>

288

289

</para>

290

</refsect1>

291

</refentry>

292

293

294

295

296

Older »