/mandos/trunk : revision 1301

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2024-09-12 02:53:43 UTC
Revision ID: teddy@recompile.se-20240912025343-05elzcldczplvk89

Ignore some more files

* .bzrignore: Ignore "cl", which is used to temporarily save the
  commit message.  Ignore the .mypy_cache directories.  Ignore
  *.c.local files which are used by the tools to sort #include
  directives and associated comments.

files added:
debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

100

115

</arg>

154

169

brings up network interfaces, uses the interfaces’ IPv6

155

170

link-local addresses to get network connectivity, uses Zeroconf

156

171

to find servers on the local network, and communicates with

157

servers using TLS with an OpenPGP key to ensure authenticity and

158

confidentiality. This client program keeps running, trying all

159

servers on the network, until it receives a satisfactory reply

160

or a TERM signal. After all servers have been tried, all

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

161

176

servers are periodically retried. If no servers are found it

162

177

will wait indefinitely for new servers to appear.

163

178

</para>

181

196

</para>

182

197

<para>

183

198

This program is not meant to be run directly; it is really meant

184

to run as a plugin of the <application>Mandos</application>

185

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

186

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

187

initial <acronym>RAM</acronym> disk environment because it is

188

specified as a <quote>keyscript</quote> in the <citerefentry>

189

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

190

</citerefentry> file.

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

191

202

</para>

192

203

</refsect1>

193

204

205

216

<title>OPTIONS</title>

206

217

<para>

207

218

This program is commonly not invoked from the command line; it

208

is normally started by the <application>Mandos</application>

209

plugin runner, see <citerefentry><refentrytitle

210

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

211

</citerefentry>. Any command line options this program accepts

212

are therefore normally provided by the plugin runner, and not

213

directly.

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

214

223

</para>

215

224

216

225

307

316

</varlistentry>

308

317

309

318

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

310

347

<term><option>--priority=<replaceable

311

348

>STRING</replaceable></option></term>

312

349

322

359

<para>

323

360

Sets the number of bits to use for the prime number in the

324

361

TLS Diffie-Hellman key exchange. The default value is

325

selected automatically based on the OpenPGP key. Note

326

that if the <option>--dh-params</option> option is used,

327

the values from that file will be used instead.

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

328

366

</para>

329

367

</listitem>

330

368

</varlistentry>

438

476

<title>OVERVIEW</title>

439

477

<xi:include href="../overview.xml"/>

440

478

<para>

441

This program is the client part. It is a plugin started by

442

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

443

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

444

an initial <acronym>RAM</acronym> disk environment.

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

445

504

</para>

446

505

<para>

447

506

This program could, theoretically, be used as a keyscript in

448

507

<filename>/etc/crypttab</filename>, but it would then be

449

508

impossible to enter a password for the encrypted root disk at

450

509

the console, since this program does not read from the console

451

at all. This is why a separate plugin runner (<citerefentry>

452

<refentrytitle>plugin-runner</refentrytitle>

453

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

454

both this program and others in in parallel,

455

<emphasis>one</emphasis> of which (<citerefentry>

456

<refentrytitle>password-prompt</refentrytitle>

457

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

458

passwords on the system console.

510

at all.

459

511

</para>

460

512

</refsect1>

461

513

481

533

<para>

482

534

This environment variable will be assumed to contain the

483

535

directory containing any helper executables. The use and

484

nature of these helper executables, if any, is

485

purposefully not documented.

536

nature of these helper executables, if any, is purposely

537

not documented.

486

538

</para>

487

539

</listitem>

488

540

</varlistentry>

682

734

</listitem>

683

735

</varlistentry>

684

736

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

685

751

<term><filename

686

752

class="directory">/lib/mandos/network-hooks.d</filename></term>

687

753

704

770

<title>EXAMPLE</title>

705

771

<para>

706

772

Note that normally, command line options will not be given

707

directly, but via options for the Mandos <citerefentry

708

><refentrytitle>plugin-runner</refentrytitle>

709

<manvolnum>8mandos</manvolnum></citerefentry>.

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

710

775

</para>

711

776

712

777

<para>

729

794

</informalexample>

730

795

731

796

<para>

732

Run in debug mode, and use a custom key:

797

Run in debug mode, and use custom keys:

733

798

</para>

734

799

<para>

735

800

736

801

737

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

738

803

739

804

</para>

740

805

</informalexample>

741

806

742

807

<para>

743

Run in debug mode, with a custom key, and do not use Zeroconf

808

Run in debug mode, with custom keys, and do not use Zeroconf

744

809

to locate a server; connect directly to the IPv6 link-local

745

810

address <quote><systemitem class="ipaddress"

746

811

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

749

814

<para>

750

815

751

816

752

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

753

818

754

819

</para>

755

820

</informalexample>

758

823

759

824

<title>SECURITY</title>

760

825

<para>

761

This program is set-uid to root, but will switch back to the

762

original (and presumably non-privileged) user and group after

763

bringing up the network interface.

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

764

829

</para>

765

830

<para>

766

831

To use this program for its intended purpose (see <xref

779

844

<para>

780

845

The only remaining weak point is that someone with physical

781

846

access to the client hard drive might turn off the client

782

computer, read the OpenPGP keys directly from the hard drive,

783

and communicate with the server. To safeguard against this, the

784

server is supposed to notice the client disappearing and stop

785

giving out the encrypted data. Therefore, it is important to

786

set the timeout and checker interval values tightly on the

787

server. See <citerefentry><refentrytitle

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

788

853

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

789

854

</para>

790

855

<para>

814

879

<manvolnum>5</manvolnum></citerefentry>,

815

880

<citerefentry><refentrytitle>mandos</refentrytitle>

816

881

<manvolnum>8</manvolnum></citerefentry>,

817

<citerefentry><refentrytitle>password-prompt</refentrytitle>

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

818

883

<manvolnum>8mandos</manvolnum></citerefentry>,

819

884

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

820

885

<manvolnum>8mandos</manvolnum></citerefentry>

833

898

</varlistentry>

834

899

835

900

<term>

836

<ulink url="http://www.avahi.org/">Avahi</ulink>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

837

902

</term>

838

903

839

904

<para>

850

915

<para>

851

916

GnuTLS is the library this client uses to implement TLS for

852

917

communicating securely with the server, and at the same time

853

send the public OpenPGP key to the server.

918

send the public key to the server.

854

919

</para>

855

920

</listitem>

856

921

</varlistentry>

922

987

</varlistentry>

923

988

924

989

<term>

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

925

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

926

1005

Security</citetitle>

927

1006

</term>

928

1007

929

1008

<para>

930

This is implemented by GnuTLS and used by this program so

931

that OpenPGP keys can be used.

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

932

1012

</para>

933

1013

</listitem>

934

1014

</varlistentry>

Older »