/mandos/trunk : revision 1298

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2024-09-09 04:24:39 UTC
Revision ID: teddy@recompile.se-20240909042439-j85mr20uli2hnyis

Eliminate compiler warnings

Many programs use nested functions, which now result in a linker
warning about executable stack.  Hide this warning.  Also, rewrite a
loop in the plymouth plugin to avoid warning about signed overflow.
This change also makes the plugin pick the alphabetically first
process entry instead of the last, in case many plymouth processes are
found (which should be unlikely).

* Makefile (plugin-runner, dracut-module/password-agent,
  plugins.d/password-prompt, plugins.d/mandos-client,
  plugins.d/plymouth): New target; set LDFLAGS to add "-Xlinker
  --no-warn-execstack".
* plugins.d/plymouth.c (get_pid): When no pid files are found, and we
  are looking through the process list, go though it from the start
  instead of from the end, i.e. in normal alphabetical order and not
  in reverse order.

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2015-07-08">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

149

169

brings up network interfaces, uses the interfaces’ IPv6

150

170

link-local addresses to get network connectivity, uses Zeroconf

151

171

to find servers on the local network, and communicates with

152

servers using TLS with an OpenPGP key to ensure authenticity and

153

confidentiality. This client program keeps running, trying all

154

servers on the network, until it receives a satisfactory reply

155

or a TERM signal. After all servers have been tried, all

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

156

176

servers are periodically retried. If no servers are found it

157

177

will wait indefinitely for new servers to appear.

158

178

</para>

176

196

</para>

177

197

<para>

178

198

This program is not meant to be run directly; it is really meant

179

to run as a plugin of the <application>Mandos</application>

180

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

181

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

182

initial <acronym>RAM</acronym> disk environment because it is

183

specified as a <quote>keyscript</quote> in the <citerefentry>

184

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

185

</citerefentry> file.

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

186

202

</para>

187

203

</refsect1>

188

204

200

216

<title>OPTIONS</title>

201

217

<para>

202

218

This program is commonly not invoked from the command line; it

203

is normally started by the <application>Mandos</application>

204

plugin runner, see <citerefentry><refentrytitle

205

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

206

</citerefentry>. Any command line options this program accepts

207

are therefore normally provided by the plugin runner, and not

208

directly.

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

209

223

</para>

210

224

211

225

302

316

</varlistentry>

303

317

304

318

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

305

347

<term><option>--priority=<replaceable

306

348

>STRING</replaceable></option></term>

307

349

317

359

<para>

318

360

Sets the number of bits to use for the prime number in the

319

361

TLS Diffie-Hellman key exchange. The default value is

320

selected automatically based on the OpenPGP key. Note

321

that if the <option>--dh-params</option> option is used,

322

the values from that file will be used instead.

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

323

366

</para>

324

367

</listitem>

325

368

</varlistentry>

433

476

<title>OVERVIEW</title>

434

477

<xi:include href="../overview.xml"/>

435

478

<para>

436

This program is the client part. It is a plugin started by

437

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

438

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

439

an initial <acronym>RAM</acronym> disk environment.

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

440

504

</para>

441

505

<para>

442

506

This program could, theoretically, be used as a keyscript in

443

507

<filename>/etc/crypttab</filename>, but it would then be

444

508

impossible to enter a password for the encrypted root disk at

445

509

the console, since this program does not read from the console

446

at all. This is why a separate plugin runner (<citerefentry>

447

<refentrytitle>plugin-runner</refentrytitle>

448

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

449

both this program and others in in parallel,

450

<emphasis>one</emphasis> of which (<citerefentry>

451

<refentrytitle>password-prompt</refentrytitle>

452

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

453

passwords on the system console.

510

at all.

454

511

</para>

455

512

</refsect1>

456

513

476

533

<para>

477

534

This environment variable will be assumed to contain the

478

535

directory containing any helper executables. The use and

479

nature of these helper executables, if any, is

480

purposefully not documented.

536

nature of these helper executables, if any, is purposely

537

not documented.

481

538

</para>

482

539

</listitem>

483

540

</varlistentry>

677

734

</listitem>

678

735

</varlistentry>

679

736

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

680

751

<term><filename

681

752

class="directory">/lib/mandos/network-hooks.d</filename></term>

682

753

690

761

</variablelist>

691

762

</refsect1>

692

763

693

694

695

696

697

764

765

766

<xi:include href="../bugs.xml"/>

767

</refsect1>

698

768

699

769

700

770

<title>EXAMPLE</title>

701

771

<para>

702

772

Note that normally, command line options will not be given

703

directly, but via options for the Mandos <citerefentry

704

><refentrytitle>plugin-runner</refentrytitle>

705

<manvolnum>8mandos</manvolnum></citerefentry>.

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

706

775

</para>

707

776

708

777

<para>

725

794

</informalexample>

726

795

727

796

<para>

728

Run in debug mode, and use a custom key:

797

Run in debug mode, and use custom keys:

729

798

</para>

730

799

<para>

731

800

732

801

733

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

734

803

735

804

</para>

736

805

</informalexample>

737

806

738

807

<para>

739

Run in debug mode, with a custom key, and do not use Zeroconf

808

Run in debug mode, with custom keys, and do not use Zeroconf

740

809

to locate a server; connect directly to the IPv6 link-local

741

810

address <quote><systemitem class="ipaddress"

742

811

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

745

814

<para>

746

815

747

816

748

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

749

818

750

819

</para>

751

820

</informalexample>

754

823

755

824

<title>SECURITY</title>

756

825

<para>

757

This program is set-uid to root, but will switch back to the

758

original (and presumably non-privileged) user and group after

759

bringing up the network interface.

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

760

829

</para>

761

830

<para>

762

831

To use this program for its intended purpose (see <xref

775

844

<para>

776

845

The only remaining weak point is that someone with physical

777

846

access to the client hard drive might turn off the client

778

computer, read the OpenPGP keys directly from the hard drive,

779

and communicate with the server. To safeguard against this, the

780

server is supposed to notice the client disappearing and stop

781

giving out the encrypted data. Therefore, it is important to

782

set the timeout and checker interval values tightly on the

783

server. See <citerefentry><refentrytitle

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

784

853

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

785

854

</para>

786

855

<para>

810

879

<manvolnum>5</manvolnum></citerefentry>,

811

880

<citerefentry><refentrytitle>mandos</refentrytitle>

812

881

<manvolnum>8</manvolnum></citerefentry>,

813

<citerefentry><refentrytitle>password-prompt</refentrytitle>

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

814

883

<manvolnum>8mandos</manvolnum></citerefentry>,

815

884

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

816

885

<manvolnum>8mandos</manvolnum></citerefentry>

829

898

</varlistentry>

830

899

831

900

<term>

832

<ulink url="http://www.avahi.org/">Avahi</ulink>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

833

902

</term>

834

903

835

904

<para>

840

909

</varlistentry>

841

910

842

911

<term>

843

<ulink url="http://www.gnu.org/software/gnutls/"

844

>GnuTLS</ulink>

912

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

845

913

</term>

846

914

847

915

<para>

848

916

GnuTLS is the library this client uses to implement TLS for

849

917

communicating securely with the server, and at the same time

850

send the public OpenPGP key to the server.

918

send the public key to the server.

851

919

</para>

852

920

</listitem>

853

921

</varlistentry>

854

922

855

923

<term>

856

<ulink url="http://www.gnupg.org/related_software/gpgme/"

924

<ulink url="https://www.gnupg.org/related_software/gpgme/"

857

925

>GPGME</ulink>

858

926

</term>

859

927

897

965

</varlistentry>

898

966

899

967

<term>

900

RFC 4346: <citetitle>The Transport Layer Security (TLS)

901

Protocol Version 1.1</citetitle>

968

RFC 5246: <citetitle>The Transport Layer Security (TLS)

969

Protocol Version 1.2</citetitle>

902

970

</term>

903

971

904

972

<para>

905

TLS 1.1 is the protocol implemented by GnuTLS.

973

TLS 1.2 is the protocol implemented by GnuTLS.

906

974

</para>

907

975

</listitem>

908

976

</varlistentry>

919

987

</varlistentry>

920

988

921

989

<term>

922

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

923

1005

Security</citetitle>

924

1006

</term>

925

1007

926

1008

<para>

927

This is implemented by GnuTLS and used by this program so

928

that OpenPGP keys can be used.

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

929

1012

</para>

930

1013

</listitem>

931

1014

</varlistentry>

Older »