/mandos/trunk : revision 1203

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: teddy at recompile
Date: 2020-02-07 20:53:34 UTC
Revision ID: teddy@recompile.se-20200207205334-dp41p8c8vw0ytik5

Allow users to more easily alter mandos.service

The sysvinit script uses /etc/default/mandos as an environment file,
and supports adding additional server options to a DAEMON_ARGS
environment variable.  This should be supported by the systemd
service, too.

* mandos.service ([Service]/EnvironmentFile): New; set to
  "/etc/default/mandos ".
  ([Service]/ExecStart): Append "$DAEMON_ARGS".

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2012-01-01">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

</group>

<sbr/>

<group>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

127

</arg>

128

<sbr/>

137

166

communicates with <citerefentry><refentrytitle

138

167

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

139

168

to get a password. In slightly more detail, this client program

140

brings up a network interface, uses the interface’s IPv6

141

link-local address to get network connectivity, uses Zeroconf to

142

find servers on the local network, and communicates with servers

143

using TLS with an OpenPGP key to ensure authenticity and

144

confidentiality. This client program keeps running, trying all

145

servers on the network, until it receives a satisfactory reply

146

or a TERM signal. After all servers have been tried, all

169

brings up network interfaces, uses the interfaces’ IPv6

170

link-local addresses to get network connectivity, uses Zeroconf

171

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

147

176

servers are periodically retried. If no servers are found it

148

177

will wait indefinitely for new servers to appear.

149

178

</para>

150

179

<para>

151

The network interface is selected like this: If an interface is

152

specified using the <option>--interface</option> option, that

153

interface is used. Otherwise, <command>&COMMANDNAME;</command>

154

will choose any interface that is up and running and is not a

155

loopback interface, is not a point-to-point interface, is

156

capable of broadcasting and does not have the NOARP flag (see

180

The network interfaces are selected like this: If any interfaces

181

are specified using the <option>--interface</option> option,

182

those interface are used. Otherwise,

183

<command>&COMMANDNAME;</command> will use all interfaces that

184

are not loopback interfaces, are not point-to-point interfaces,

185

are capable of broadcasting and do not have the NOARP flag (see

157

186

<citerefentry><refentrytitle>netdevice</refentrytitle>

158

187

<manvolnum>7</manvolnum></citerefentry>). (If the

159

188

<option>--connect</option> option is used, point-to-point

160

interfaces and non-broadcast interfaces are accepted.) If no

161

acceptable interfaces are found, re-run the check but without

162

the <quote>up and running</quote> requirement, and manually take

163

the selected interface up (and later take it down on program

164

exit).

189

interfaces and non-broadcast interfaces are accepted.) If any

190

used interfaces are not up and running, they are first taken up

191

(and later taken down again on program exit).

165

192

</para>

166

193

<para>

167

Before a network interface is selected, all <quote>network

194

Before network interfaces are selected, all <quote>network

168

195

hooks</quote> are run; see <xref linkend="network-hooks"/>.

169

196

</para>

170

197

<para>

218

245

assumed to separate the address from the port number.

219

246

</para>

220

247

<para>

221

This option is normally only useful for testing and

222

debugging.

248

Normally, Zeroconf would be used to locate Mandos servers,

249

in which case this option would only be used when testing

250

and debugging.

223

251

</para>

224

252

</listitem>

225

253

</varlistentry>

226

254

227

255

228

256

<term><option>--interface=<replaceable

229

>NAME</replaceable></option></term>

257

>NAME</replaceable><arg rep='repeat'>,<replaceable

258

>NAME</replaceable></arg></option></term>

230

259

<term><option>-i

231

260

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

261

>NAME</replaceable></arg></option></term>

232

262

233

263

<para>

234

Network interface that will be brought up and scanned for

235

Mandos servers to connect to. The default is the empty

236

string, which will automatically choose an appropriate

237

interface.

264

Comma separated list of network interfaces that will be

265

brought up and scanned for Mandos servers to connect to.

266

The default is the empty string, which will automatically

267

use all appropriate interfaces.

238

268

</para>

239

269

<para>

240

If the <option>--connect</option> option is used, this

241

specifies the interface to use to connect to the address

242

given.

270

If the <option>--connect</option> option is used, and

271

exactly one interface name is specified (except

272

<quote><literal>none</literal></quote>), this specifies

273

the interface to use to connect to the address given.

243

274

</para>

244

275

<para>

245

276

Note that since this program will normally run in the

246

277

initial RAM disk environment, the interface must be an

247

278

interface which exists at that stage. Thus, the interface

248

can not be a pseudo-interface such as <quote>br0</quote>

249

or <quote>tun0</quote>; such interfaces will not exist

250

until much later in the boot process, and can not be used

251

by this program, unless created by a <quote>network

252

hook</quote> — see <xref linkend="network-hooks"/>.

279

can normally not be a pseudo-interface such as

280

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

281

will not exist until much later in the boot process, and

282

can not be used by this program, unless created by a

283

<quote>network hook</quote> — see <xref

284

linkend="network-hooks"/>.

253

285

</para>

254

286

<para>

255

287

<replaceable>NAME</replaceable> can be the string

256

<quote><literal>none</literal></quote>; this will not use

257

any specific interface, and will not bring up an interface

258

on startup. This is not recommended, and only meant for

259

advanced users.

288

<quote><literal>none</literal></quote>; this will make

289

<command>&COMMANDNAME;</command> only bring up interfaces

290

specified <emphasis>before</emphasis> this string. This

291

is not recommended, and only meant for advanced users.

260

292

</para>

261

293

</listitem>

262

294

</varlistentry>

290

322

</varlistentry>

291

323

292

324

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

293

353

<term><option>--priority=<replaceable

294

354

>STRING</replaceable></option></term>

295

355

304

364

305

365

<para>

306

366

Sets the number of bits to use for the prime number in the

307

TLS Diffie-Hellman key exchange. Default is 1024.

367

TLS Diffie-Hellman key exchange. The default value is

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--dh-params=<replaceable

378

>FILE</replaceable></option></term>

379

380

<para>

381

Specifies a PEM-encoded PKCS#3 file to read the parameters

382

needed by the TLS Diffie-Hellman key exchange from. If

383

this option is not given, or if the file for some reason

384

could not be used, the parameters will be generated on

385

startup, which will take some time and processing power.

386

Those using servers running under time, power or processor

387

constraints may want to generate such a file in advance

388

and use this option.

308

389

</para>

309

390

</listitem>

310

391

</varlistentry>

314

395

>SECONDS</replaceable></option></term>

315

396

316

397

<para>

317

After bringing the network interface up, the program waits

398

After bringing a network interface up, the program waits

318

399

for the interface to arrive in a <quote>running</quote>

319

400

state before proceeding. During this time, the kernel log

320

401

level will be lowered to reduce clutter on the system

437

518

438

519

439

520

<title>ENVIRONMENT</title>

521

522

523

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

524

525

<para>

526

This environment variable will be assumed to contain the

527

directory containing any helper executables. The use and

528

nature of these helper executables, if any, is purposely

529

not documented.

530

</para>

531

</listitem>

532

</varlistentry>

533

</variablelist>

440

534

<para>

441

This program does not use any environment variables, not even

442

the ones provided by <citerefentry><refentrytitle

535

This program does not use any other environment variables, not

536

even the ones provided by <citerefentry><refentrytitle

443

537

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

444

538

</citerefentry>.

445

539

</para>

507

601

It is not necessary to print any non-executable files

508

602

already in the network hook directory, these will be

509

603

copied implicitly if they otherwise satisfy the name

510

requirement.

604

requirements.

511

605

</para>

512

606

</listitem>

513

607

</varlistentry>

547

641

<term><envar>DEVICE</envar></term>

548

642

549

643

<para>

550

The network interface, as specified to

644

The network interfaces, as specified to

551

645

<command>&COMMANDNAME;</command> by the

552

<option>--interface</option> option. If this is not the

553

interface a hook will bring up, there is no reason for a

554

hook to continue.

646

<option>--interface</option> option, combined to one

647

string and separated by commas. If this is set, and

648

does not contain the interface a hook will bring up,

649

there is no reason for a hook to continue.

555

650

</para>

556

651

</listitem>

557

652

</varlistentry>

631

726

</listitem>

632

727

</varlistentry>

633

728

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

634

743

<term><filename

635

744

class="directory">/lib/mandos/network-hooks.d</filename></term>

636

745

644

753

</variablelist>

645

754

</refsect1>

646

755

647

648

649

650

651

756

757

758

<xi:include href="../bugs.xml"/>

759

</refsect1>

652

760

653

761

654

762

<title>EXAMPLE</title>

660

768

</para>

661

769

662

770

<para>

663

Normal invocation needs no options, if the network interface

664

is <quote>eth0</quote>:

771

Normal invocation needs no options, if the network interfaces

772

can be automatically determined:

665

773

</para>

666

774

<para>

667

775

<userinput>&COMMANDNAME;</userinput>

669

777

</informalexample>

670

778

671

779

<para>

672

Search for Mandos servers (and connect to them) using another

673

interface:

780

Search for Mandos servers (and connect to them) using one

781

specific interface:

674

782

</para>

675

783

<para>

676

784

679

787

</informalexample>

680

788

681

789

<para>

682

Run in debug mode, and use a custom key:

790

Run in debug mode, and use custom keys:

683

791

</para>

684

792

<para>

685

793

686

794

687

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

688

796

689

797

</para>

690

798

</informalexample>

691

799

692

800

<para>

693

Run in debug mode, with a custom key, and do not use Zeroconf

801

Run in debug mode, with custom keys, and do not use Zeroconf

694

802

to locate a server; connect directly to the IPv6 link-local

695

803

address <quote><systemitem class="ipaddress"

696

804

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

699

807

<para>

700

808

701

809

702

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

703

811

704

812

</para>

705

813

</informalexample>

708

816

709

817

<title>SECURITY</title>

710

818

<para>

711

This program is set-uid to root, but will switch back to the

712

original (and presumably non-privileged) user and group after

713

bringing up the network interface.

819

This program assumes that it is set-uid to root, and will switch

820

back to the original (and presumably non-privileged) user and

821

group after bringing up the network interface.

714

822

</para>

715

823

<para>

716

824

To use this program for its intended purpose (see <xref

729

837

<para>

730

838

The only remaining weak point is that someone with physical

731

839

access to the client hard drive might turn off the client

732

computer, read the OpenPGP keys directly from the hard drive,

733

and communicate with the server. To safeguard against this, the

734

server is supposed to notice the client disappearing and stop

735

giving out the encrypted data. Therefore, it is important to

736

set the timeout and checker interval values tightly on the

737

server. See <citerefentry><refentrytitle

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

738

846

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

739

847

</para>

740

848

<para>

741

849

It will also help if the checker program on the server is

742

850

configured to request something from the client which can not be

743

spoofed by someone else on the network, unlike unencrypted

744

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

851

spoofed by someone else on the network, like SSH server key

852

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

853

echo (<quote>ping</quote>) replies.

745

854

</para>

746

855

<para>

747

856

<emphasis>Note</emphasis>: This makes it completely insecure to

782

891

</varlistentry>

783

892

784

893

<term>

785

<ulink url="http://www.avahi.org/">Avahi</ulink>

894

<ulink url="https://www.avahi.org/">Avahi</ulink>

786

895

</term>

787

896

788

897

<para>

793

902

</varlistentry>

794

903

795

904

<term>

796

<ulink url="http://www.gnu.org/software/gnutls/"

797

>GnuTLS</ulink>

905

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

798

906

</term>

799

907

800

908

<para>

801

909

GnuTLS is the library this client uses to implement TLS for

802

910

communicating securely with the server, and at the same time

803

send the public OpenPGP key to the server.

911

send the public key to the server.

804

912

</para>

805

913

</listitem>

806

914

</varlistentry>

807

915

808

916

<term>

809

<ulink url="http://www.gnupg.org/related_software/gpgme/"

917

<ulink url="https://www.gnupg.org/related_software/gpgme/"

810

918

>GPGME</ulink>

811

919

</term>

812

920

840

948

<para>

841

949

This client uses IPv6 link-local addresses, which are

842

950

immediately usable since a link-local addresses is

843

automatically assigned to a network interfaces when it

951

automatically assigned to a network interface when it

844

952

is brought up.

845

953

</para>

846

954

</listitem>

850

958

</varlistentry>

851

959

852

960

<term>

853

RFC 4346: <citetitle>The Transport Layer Security (TLS)

854

Protocol Version 1.1</citetitle>

961

RFC 5246: <citetitle>The Transport Layer Security (TLS)

962

Protocol Version 1.2</citetitle>

855

963

</term>

856

964

857

965

<para>

858

TLS 1.1 is the protocol implemented by GnuTLS.

966

TLS 1.2 is the protocol implemented by GnuTLS.

859

967

</para>

860

968

</listitem>

861

969

</varlistentry>

872

980

</varlistentry>

873

981

874

982

<term>

875

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

876

998

Security</citetitle>

877

999

</term>

878

1000

879

1001

<para>

880

This is implemented by GnuTLS and used by this program so

881

that OpenPGP keys can be used.

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

882

1005

</para>

883

1006

</listitem>

884

1007

</varlistentry>

Older »