/mandos/trunk : revision 1227

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/password-agent.xml

Committer: teddy at recompile
Date: 2020-11-30 16:25:32 UTC
Revision ID: teddy@recompile.se-20201130162532-b73s2tsihw3so6pw

Update Debian Policy version to 4.5.1; no other changes necessary.

* debian/control (Standards-Version): Change to "4.5.1".

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

dracut-module/password-agent.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "password-agent">

<!ENTITY TIMESTAMP "2020-09-16">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos client as a systemd password agent.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg><option>--agent-directory=<replaceable

>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--helper-directory=<replaceable

>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--user=<replaceable

>USERID</replaceable></option></arg>

<sbr/>

<arg><option>--group=<replaceable

>GROUPID</replaceable></option></arg>

<sbr/>

<arg>

<replaceable>MANDOS_CLIENT</replaceable>

<arg choice="plain"><replaceable>OPTIONS</replaceable></arg>

</group>

</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

</cmdsynopsis>

100

101

<command>&COMMANDNAME;</command>

102

103

<arg choice="plain"><option>--version</option></arg>

104

105

</group>

106

</cmdsynopsis>

107

</refsynopsisdiv>

108

109

110

<title>DESCRIPTION</title>

111

<para>

112

<command>&COMMANDNAME;</command> is a program which is meant to

113

be a <citerefentry><refentrytitle>systemd</refentrytitle>

114

<manvolnum>1</manvolnum></citerefentry> <quote>Password

115

Agent</quote> (See <ulink

116

url="https://systemd.io/PASSWORD_AGENTS/">Password

117

Agents</ulink>). The aim of this program is therefore to

118

acquire and then send a password to some other program which

119

will use the password to unlock the encrypted root disk.

120

</para>

121

<para>

122

This program is not meant to be invoked directly, but can be in

123

order to test it.

124

</para>

125

</refsect1>

126

127

128

<title>PURPOSE</title>

129

<para>

130

The purpose of this is to enable <emphasis>remote and unattended

131

rebooting</emphasis> of client host computer with an

132

<emphasis>encrypted root file system</emphasis>. See <xref

133

linkend="overview"/> for details.

134

</para>

135

</refsect1>

136

137

138

<title>OPTIONS</title>

139

140

141

142

<term><option>--agent-directory

143

<replaceable>DIRECTORY</replaceable></option></term>

144

145

<para>

146

Specify a different agent directory. The default is

147

<quote><filename class="directory"

148

>/run/systemd/ask-password</filename ></quote> as per the

149

<ulink url="https://systemd.io/PASSWORD_AGENTS/">Password

150

Agents</ulink> specification.

151

</para>

152

</listitem>

153

</varlistentry>

154

155

156

<term><option>--helper-directory

157

<replaceable>DIRECTORY</replaceable></option></term>

158

159

<para>

160

Specify a different helper directory. The default is

161

<quote><filename class="directory"

162

>/lib/mandos/plugin-helpers</filename

163

></quote>, which

164

will exist in the initial <acronym>RAM</acronym> disk

165

environment. (This will simply be passed to the

166

<replaceable>MANDOS_CLIENT</replaceable> program via the

167

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

168

See

169

<citerefentry><refentrytitle>mandos-client</refentrytitle

170

><manvolnum>8mandos</manvolnum></citerefentry>.)

171

</para>

172

</listitem>

173

</varlistentry>

174

175

176

<term><option>--user

177

<replaceable>USERID</replaceable></option></term>

178

179

<para>

180

Change real user ID to <replaceable>USERID</replaceable>

181

when running <replaceable>MANDOS_CLIENT</replaceable>.

182

The default is 65534. <emphasis>Note:</emphasis> This

183

must be a number, not a name.

184

</para>

185

</listitem>

186

</varlistentry>

187

188

189

<term><option>--group

190

<replaceable>GROUPID</replaceable></option></term>

191

192

<para>

193

Change real group ID to <replaceable>GROUPID</replaceable>

194

when running <replaceable>MANDOS_CLIENT</replaceable>.

195

The default is 65534. <emphasis>Note:</emphasis> This

196

must be a number, not a name.

197

</para>

198

</listitem>

199

</varlistentry>

200

201

202

<term><replaceable>MANDOS_CLIENT</replaceable></term>

203

204

<para>

205

This specifies the file name for

206

<citerefentry><refentrytitle>mandos-client</refentrytitle

207

><manvolnum>8mandos</manvolnum></citerefentry>. If the

208

<quote><option>--</option></quote> option is given, any

209

following options are passed to the <replaceable

210

>MANDOS_CLIENT</replaceable> program. The default is

211

<quote><filename

212

>/lib/mandos/plugins.d/mandos-client</filename ></quote>

213

(which is the correct location for the initial

214

<acronym>RAM</acronym> disk environment) without any

215

options.

216

</para>

217

</listitem>

218

</varlistentry>

219

220

221

222

223

224

<para>

225

Gives a help message about options and their meanings.

226

</para>

227

</listitem>

228

</varlistentry>

229

230

231

232

233

<para>

234

Ignore normal operation; instead only run self-tests.

235

Adding the <option>--help</option> option may show more

236

options possible in combination with

237

<option>--test</option>.

238

</para>

239

</listitem>

240

</varlistentry>

241

242

243

<term><option>--usage</option></term>

244

245

<para>

246

Gives a short usage message.

247

</para>

248

</listitem>

249

</varlistentry>

250

251

252

<term><option>--version</option></term>

253

254

255

<para>

256

Prints the program version.

257

</para>

258

</listitem>

259

</varlistentry>

260

</variablelist>

261

</refsect1>

262

263

264

<title>OVERVIEW</title>

265

<xi:include href="../overview.xml"/>

266

<para>

267

This program, &COMMANDNAME;, will run on the client side in the

268

initial <acronym>RAM</acronym> disk environment, and is

269

responsible for getting a password from the Mandos client

270

program itself, and to send that password to whatever is

271

currently asking for a password using the systemd <ulink

272

url="https://systemd.io/PASSWORD_AGENTS/">Password

273

Agents</ulink> mechanism.

274

</para>

275

<para>To accomplish this, &COMMANDNAME; runs the

276

<command>mandos-client</command> program (which is the actual

277

client program communicating with the Mandos server) or,

278

alternatively, any executable file specified as

279

<replaceable>MANDOS_CLIENT</replaceable>, and, as soon as a

280

password is acquired from the

281

<replaceable>MANDOS_CLIENT</replaceable> program, sends that

282

password (as per the <ulink

283

url="https://systemd.io/PASSWORD_AGENTS/">Password Agents</ulink>

284

specification) to all currently unanswered password questions.

285

</para>

286

<para>

287

This program should be started (normally as a systemd service,

288

which in turn is normally started by a <citerefentry

289

><refentrytitle>systemd.path</refentrytitle>

290

<manvolnum>5</manvolnum></citerefentry> file) as a reaction to

291

files named <quote><filename>ask.<replaceable>xxxx</replaceable

292

></filename></quote> appearing in the agent directory

293

<quote><filename

294

class="directory">/run/systemd/ask-password</filename></quote>

295

(or the directory specified by

296

<option>--agent-directory</option>).

297

</para>

298

</refsect1>

299

300

301

<title>EXIT STATUS</title>

302

<para>

303

Exit status of this program is zero if no errors were

304

encountered, and otherwise not.

305

</para>

306

</refsect1>

307

308

309

<title>ENVIRONMENT</title>

310

<para>

311

This program does not use any environment variables itself, it

312

only passes on its environment to

313

<replaceable>MANDOS_CLIENT</replaceable>. Also, the

314

<option>--helper-directory</option> option will affect the

315

environment variable <envar>MANDOSPLUGINHELPERDIR</envar> for

316

<replaceable>MANDOS_CLIENT</replaceable>.

317

</para>

318

</refsect1>

319

320

321

<title>FILES</title>

322

<para>

323

324

325

<term><filename class="directory"

326

>/run/systemd/ask-password</filename></term>

327

328

<para>

329

The default directory to watch for password questions as

330

per the <ulink

331

url="https://systemd.io/PASSWORD_AGENTS/">Password

332

Agents</ulink> specification; can be changed by the

333

<option>--agent-directory</option> option.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

<term><filename class="directory"

339

>/lib/mandos/plugin-helpers</filename

340

></term>

341

342

<para>

343

The helper directory as supplied to

344

<replaceable>MANDOS_CLIENT</replaceable> via the

345

<envar>MANDOSPLUGINHELPERDIR</envar> environment

346

variable; can be changed by the

347

<option>--helper-directory</option> option.

348

</para>

349

</listitem>

350

</varlistentry>

351

</variablelist>

352

</para>

353

</refsect1>

354

355

356

357

<xi:include href="../bugs.xml"/>

358

</refsect1>

359

360

361

<title>EXAMPLE</title>

362

363

<para>

364

Normal invocation needs no options:

365

</para>

366

<para>

367

<userinput>&COMMANDNAME;</userinput>

368

</para>

369

</informalexample>

370

371

<para>

372

Run an alternative <replaceable>MANDOS_CLIENT</replaceable>

373

program::

374

</para>

375

<para>

376

<userinput>&COMMANDNAME; /usr/local/sbin/alternate</userinput>

377

</para>

378

</informalexample>

379

380

<para>

381

Use alternative locations for the helper directory and the

382

Mandos client, and add extra options suitable for running in

383

the normal file system:

384

</para>

385

<para>

386

387

388

<userinput>&COMMANDNAME; --helper-directory=/usr/lib/x86_64-linux-gnu/mandos/plugin-helpers -- /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem --tls-privkey=/etc/keys/mandos/tls-privkey.pem</userinput>

389

390

</para>

391

</informalexample>

392

393

<para>

394

Use the default location for

395

<citerefentry><refentrytitle>mandos-client</refentrytitle>

396

<manvolnum>8mandos</manvolnum></citerefentry>, but add many

397

options to it:

398

</para>

399

<para>

400

401

402

<userinput>&COMMANDNAME; -- /lib/mandos/plugins.d/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt --seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem --tls-privkey=/etc/mandos/keys/tls-privkey.pem</userinput>

403

404

</para>

405

</informalexample>

406

407

<para>

408

Only run the self-tests:

409

</para>

410

<para>

411

<userinput>&COMMANDNAME; --test</userinput>

412

</para>

413

</informalexample>

414

</refsect1>

415

416

<title>SECURITY</title>

417

<para>

418

This program will need to run as the root user in order to read

419

the agent directory and the <quote><filename

420

>ask.<replaceable>xxxx</replaceable></filename></quote> files

421

there, and will, when starting the Mandos client program,

422

require the ability to set the <quote>real</quote> user and

423

group ids to another user, by default user and group 65534,

424

which are assumed to be non-privileged. This is done in order

425

to match the expectations of <citerefentry><refentrytitle

426

>mandos-client</refentrytitle><manvolnum>8mandos</manvolnum

427

></citerefentry>, which assumes that its executable file is

428

owned by the root user and also has the set-user-ID bit set (see

429

<citerefentry><refentrytitle>execve</refentrytitle><manvolnum

430

>2</manvolnum></citerefentry>).

431

</para>

432

</refsect1>

433

434

435

436

<para>

437

<citerefentry><refentrytitle>intro</refentrytitle>

438

<manvolnum>8mandos</manvolnum></citerefentry>,

439

<citerefentry><refentrytitle>mandos-client</refentrytitle>

440

<manvolnum>8mandos</manvolnum></citerefentry>,

441

<citerefentry><refentrytitle>systemd</refentrytitle>

442

<manvolnum>1</manvolnum></citerefentry>,

443

</para>

444

445

446

<term>

447

<ulink url="https://systemd.io/PASSWORD_AGENTS/">Password

448

Agents</ulink>

449

</term>

450

451

<para>

452

The specification for systemd <quote>Password

453

Agent</quote> programs, which

454

<command>&COMMANDNAME;</command> follows.

455

</para>

456

</listitem>

457

</varlistentry>

458

</variablelist>

459

</refsect1>

460

461

</refentry>

462

463

464

465

466

Older »