/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to debian/mandos-client.README.Debian

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

debian/mandos-client.README.Debian

* Configure The Server

A client key has been automatically created in /etc/keys/mandos.

The next step is to run "mandos-keygen --password" to get a config

file section. This should be appended to /etc/mandos/clients.conf

on the Mandos server.

* Use the Correct Network Interface

Make sure that the correct network interface is specified in the

DEVICE setting in the "/etc/initramfs-tools/initramfs.conf" file.

If this is changed, it will be necessary to update the initrd image

by doing "update-initramfs -k all -u". This setting can be

overridden at boot time on the Linux kernel command line using the

sixth colon-separated field of the "ip=" option; for exact syntax,

see the file "Documentation/nfsroot.txt" in the Linux source tree.

* Test the Server

After the server has been started and this client's key added, it is

possible to verify that the correct password will be received by

this client by running the command, on the client:

# /usr/lib/mandos/plugins.d/mandos-client \

--pubkey=/etc/keys/mandos/pubkey.txt \

--seckey=/etc/keys/mandos/seckey.txt; echo

This command should retrieve the password from the server, decrypt

it, and output it to standard output. There it can be verified to

be the correct password, before rebooting.

* User-Supplied Plugins

Any plugins found in /etc/mandos/plugins.d will override and add to

the normal Mandos plugins. When adding or changing plugins, do not

forget to update the initital RAM disk image:

# update-initramfs -k all -u

* Do *NOT* Edit /etc/crypttab

It is NOT necessary to edit /etc/crypttab to specify

/usr/lib/mandos/plugin-runner as a keyscript for the root file

system; if no keyscript is given for the root file system, the

Mandos client will be the new default way for getting a password for

the root file system when booting.

* Emergency Escape

If it ever should be necessary, the Mandos client can be temporarily

prevented from running at startup by passing the parameter

"mandos=off" to the kernel.

* Non-local Connection (Not Using ZeroConf)

If the "ip=" kernel command line option is used to specify a

complete IP address and device name, as noted above, it then becomes

possible to specify a specific IP address and port to connect to,

instead of using ZeroConf. The syntax for doing this is

"mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>".

Warning: this will cause the client to make exactly one attempt at

connecting, and then fail if it does not succeed.

For very advanced users, it it possible to specify simply

"mandos=connect" on the kernel command line to make the system only

set up the network (using the data in the "ip=" option) and not pass

any extra "--connect" options to mandos-client at boot. For this to

work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs

to be manually added to the file "/etc/mandos/plugin-runner.conf".

-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Mon, 9 Feb 2009 00:36:55 +0100

Older »