/mandos/trunk : revision 128

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-08-31 13:55:04 UTC
Revision ID: teddy@fukt.bsnet.se-20080831135504-2ka1cccglsghslxy

* plugin-runner.xml (/refentry/refentryinfo/copyright): Split
                                                        copyright
                                                        holders.
* plugins.d/password-request.xml (/refentry/refentryinfo/copyright):
                                 Split copyright holders.

files removed:
legalnotice.xml

files modified:
Makefile

TODO

mandos-clients.conf.xml

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.c

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

<?xml version="1.0" encoding="UTF-8"?>

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<!ENTITY TIMESTAMP "2008-08-31">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

104

128

105

129

<command>&COMMANDNAME;</command>

106

130

107

108

131

132

109

133

</group>

110

134

</cmdsynopsis>

111

135

112

136

<command>&COMMANDNAME;</command>

113

<arg choice="plain"><option>--usage</option></arg>

137

<arg choice='plain'><option>--usage</option></arg>

114

138

</cmdsynopsis>

115

139

116

140

<command>&COMMANDNAME;</command>

117

141

118

<arg choice="plain"><option>--version</option></arg>

119

142

<arg choice='plain'><option>--version</option></arg>

143

120

144

</group>

121

145

</cmdsynopsis>

122

146

</refsynopsisdiv>

124

148

125

149

<title>DESCRIPTION</title>

126

150

<para>

127

<command>&COMMANDNAME;</command> is a client program that

128

communicates with <citerefentry><refentrytitle

129

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find servers, and TLS with an

132

OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply or a TERM signal is recieved.

135

</para>

136

<para>

137

This program is not meant to be run directly; it is really meant

138

to run as a plugin of the <application>Mandos</application>

139

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

140

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

141

initial <acronym>RAM</acronym> disk environment because it is

142

specified as a <quote>keyscript</quote> in the <citerefentry>

143

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

144

</citerefentry> file.

145

</para>

146

</refsect1>

147

148

149

<title>PURPOSE</title>

150

<para>

151

The purpose of this is to enable <emphasis>remote and unattended

152

rebooting</emphasis> of client host computer with an

153

<emphasis>encrypted root file system</emphasis>. See <xref

154

linkend="overview"/> for details.

151

<command>&COMMANDNAME;</command> is a mandos plugin that works

152

like a client program that through avahi detects mandos servers,

153

sets up a gnutls connect and request a encrypted password. Any

154

passwords given is automaticly decrypted and passed to

155

cryptsetup.

155

156

</para>

156

157

</refsect1>

157

158

159

159

160

<title>OPTIONS</title>

160

161

<para>

161

This program is commonly not invoked from the command line; it

162

is normally started by the <application>Mandos</application>

163

plugin runner, see <citerefentry><refentrytitle

164

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

165

</citerefentry>. Any command line options this program accepts

166

are therefore normally provided by the plugin runner, and not

167

directly.

162

Commonly not invoked as command lines but from configuration

163

file of plugin runner.

168

164

</para>

169

165

170

166

171

167

172

168

<term><option>--connect=<replaceable

173

>ADDRESS</replaceable><literal>:</literal><replaceable

169

>IPADDR</replaceable><literal>:</literal><replaceable

174

170

>PORT</replaceable></option></term>

175

171

<term><option>-c

176

<replaceable>ADDRESS</replaceable><literal>:</literal

172

<replaceable>IPADDR</replaceable><literal>:</literal

177

173

><replaceable>PORT</replaceable></option></term>

178

174

179

175

<para>

180

Do not use Zeroconf to locate servers. Connect directly

181

to only one specified <application>Mandos</application>

182

server. Note that an IPv6 address has colon characters in

183

it, so the <emphasis>last</emphasis> colon character is

184

assumed to separate the address from the port number.

185

</para>

186

<para>

187

This option is normally only useful for testing and

188

debugging.

176

Connect directly to a specified mandos server

189

177

</para>

190

178

</listitem>

191

179

</varlistentry>

192

180

193

181

194

182

<term><option>--keydir=<replaceable

195

183

>DIRECTORY</replaceable></option></term>

197

185

<replaceable>DIRECTORY</replaceable></option></term>

198

186

199

187

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

188

Directory where the openpgp keyring is

205

189

</para>

206

190

</listitem>

207

191

</varlistentry>

213

197

214

198

215

199

<para>

216

Network interface that will be brought up and scanned for

217

Mandos servers to connect to. The default it

218

<quote><literal>eth0</literal></quote>.

219

</para>

220

<para>

221

If the <option>--connect</option> option is used, this

222

specifies the interface to use to connect to the address

223

given.

200

Interface that Avahi will connect through

224

201

</para>

225

202

</listitem>

226

203

</varlistentry>

227

204

228

205

229

206

<term><option>--pubkey=<replaceable

230

207

>FILE</replaceable></option></term>

232

209

233

210

234

211

<para>

235

OpenPGP public key file base name. This will be combined

236

with the directory from the <option>--keydir</option>

237

option to form an absolute file name. The default name is

238

<quote><literal>pubkey.txt</literal></quote>.

212

Public openpgp key for gnutls authentication

239

213

</para>

240

214

</listitem>

241

215

</varlistentry>

247

221

248

222

249

223

<para>

250

OpenPGP secret key file base name. This will be combined

251

with the directory from the <option>--keydir</option>

252

option to form an absolute file name. The default name is

253

<quote><literal>seckey.txt</literal></quote>.

224

Secret OpenPGP key for GnuTLS authentication

254

225

</para>

255

226

</listitem>

256

227

</varlistentry>

259

230

<term><option>--priority=<replaceable

260

231

>STRING</replaceable></option></term>

261

232

262

<xi:include href="../mandos-options.xml"

263

xpointer="priority"/>

233

<para>

234

GnuTLS priority

235

</para>

264

236

</listitem>

265

237

</varlistentry>

266

238

269

241

>BITS</replaceable></option></term>

270

242

271

243

<para>

272

Sets the number of bits to use for the prime number in the

273

TLS Diffie-Hellman key exchange. Default is 1024.

244

DH bits to use in gnutls communication

274

245

</para>

275

246

</listitem>

276

247

</varlistentry>

279

250

<term><option>--debug</option></term>

280

251

281

252

<para>

282

Enable debug mode. This will enable a lot of output to

283

standard error about what the program is doing. The

284

program will still perform all other functions normally.

285

</para>

286

<para>

287

It will also enable debug mode in the Avahi and GnuTLS

288

libraries, making them print large amounts of debugging

289

output.

253

Debug mode

290

254

</para>

291

255

</listitem>

292

256

</varlistentry>

296

260

297

261

298

262

<para>

299

Gives a help message about options and their meanings.

263

Gives a help message

300

264

</para>

301

265

</listitem>

302

266

</varlistentry>

305

269

<term><option>--usage</option></term>

306

270

307

271

<para>

308

Gives a short usage message.

272

Gives a short usage message

309

273

</para>

310

274

</listitem>

311

275

</varlistentry>

315

279

316

280

317

281

<para>

318

Prints the program version.

282

Prints the program version

319

283

</para>

320

284

</listitem>

321

285

</varlistentry>

322

286

</variablelist>

323

287

</refsect1>

324

288

325

326

<title>OVERVIEW</title>

327

<xi:include href="../overview.xml"/>

328

<para>

329

This program is the client part. It is a plugin started by

330

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

331

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

332

an initial <acronym>RAM</acronym> disk environment.

333

</para>

334

<para>

335

This program could, theoretically, be used as a keyscript in

336

<filename>/etc/crypttab</filename>, but it would then be

337

impossible to enter a password for the encrypted root disk at

338

the console, since this program does not read from the console

339

at all. This is why a separate plugin does that, which will be

340

run in parallell to this one by the plugin runner.

341

</para>

342

</refsect1>

343

344

289

345

290

<title>EXIT STATUS</title>

346

291

<para>

347

This program will exit with a successful (zero) exit status if a

348

server could be found and the password received from it could be

349

successfully decrypted and output on standard output. The

350

program will exit with a non-zero exit status only if a critical

351

error occurs. Otherwise, it will forever connect to new

352

<application>Mandos</application> servers as they appear, trying

353

to get a decryptable password.

354

292

</para>

355

293

</refsect1>

356

294

357

295

358

296

<title>ENVIRONMENT</title>

359

297

<para>

360

This program does not use any environment variables, not even

361

the ones provided by <citerefentry><refentrytitle

362

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

363

</citerefentry>.

364

298

</para>

365

299

</refsect1>

366

300

367

301

368

302

<title>FILES</title>

369

370

371

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

372

></term>

373

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

374

></term>

375

376

<para>

377

OpenPGP public and private key files, in <quote>ASCII

378

Armor</quote> format. These are the default file names,

379

they can be changed with the <option>--pubkey</option> and

380

<option>--seckey</option> options.

381

</para>

382

</listitem>

383

</varlistentry>

384

</variablelist>

303

<para>

304

</para>

385

305

</refsect1>

386

306

387

388

389

390

391

307

308

309

<para>

310

</para>

311

</refsect1>

392

312

393

313

394

314

<title>EXAMPLE</title>

395

315

<para>

396

Note that normally, command line options will not be given

397

directly, but via options for the Mandos <citerefentry

398

><refentrytitle>plugin-runner</refentrytitle>

399

<manvolnum>8mandos</manvolnum></citerefentry>.

400

316

</para>

401

402

<para>

403

Normal invocation needs no options, if the network interface

404

is <quote>eth0</quote>:

405

</para>

406

<para>

407

<userinput>&COMMANDNAME;</userinput>

408

</para>

409

</informalexample>

410

411

<para>

412

Search for Mandos servers on another interface:

413

</para>

414

<para>

415

416

<userinput>&COMMANDNAME; --interface eth1</userinput>

417

</para>

418

</informalexample>

419

420

<para>

421

Run in debug mode, and use a custom key directory:

422

</para>

423

<para>

424

425

<userinput>&COMMANDNAME; --debug --keydir keydir</userinput>

426

</para>

427

</informalexample>

428

429

<para>

430

Run in debug mode, with a custom key directory, and do not use

431

Zeroconf to locate a server; connect directly to the IPv6

432

address <quote><systemitem class="ipaddress"

433

>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,

434

port 4711, using interface eth2:

435

</para>

436

<para>

437

438

439

<userinput>&COMMANDNAME; --debug --keydir keydir --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

440

441

</para>

442

</informalexample>

443

317

</refsect1>

444

318

445

319

446

320

<title>SECURITY</title>

447

321

<para>

448

This program is set-uid to root, but will switch back to the

449

original user and group after bringing up the network interface.

450

</para>

451

<para>

452

To use this program for its intended purpose (see <xref

453

linkend="purpose"/>), the password for the root file system will

454

have to be given out to be stored in a server computer, after

455

having been encrypted using an OpenPGP key. This encrypted data

456

which will be stored in a server can only be decrypted by the

457

OpenPGP key, and the data will only be given out to those

458

clients who can prove they actually have that key. This key,

459

however, is stored unencrypted on the client side in its initial

460

<acronym>RAM</acronym> disk image file system. This is normally

461

readable by all, but this is normally fixed during installation

462

of this program; file permissions are set so that no-one is able

463

to read that file.

464

</para>

465

<para>

466

The only remaining weak point is that someone with physical

467

access to the client hard drive might turn off the client

468

computer, read the OpenPGP keys directly from the hard drive,

469

and communicate with the server. The defense against this is

470

that the server is supposed to notice the client disappearing

471

and will stop giving out the encrypted data. Therefore, it is

472

important to set the timeout and checker interval values tightly

473

on the server. See <citerefentry><refentrytitle

474

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

475

</para>

476

<para>

477

<emphasis>Note</emphasis>: This makes it impossible to have

478

<application >Mandos</application> clients which dual-boot to

479

another operating system which does <emphasis>not</emphasis> run

480

a <application>Mandos</application> client.

481

322

</para>

482

323

</refsect1>

483

324

507

348

508

349

509

350

<ulink

510

url="http://www.gnupg.org/related_software/gpgme/"

511

>GPGME</ulink>

351

url="http://www.gnupg.org/related_software/gpgme/">

352

GPGME</ulink>

512

353

</para></listitem>

513

354

514

355

Older »