/mandos/trunk : revision 1304

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2024-09-16 21:01:52 UTC
Revision ID: teddy@recompile.se-20240916210152-0xbv4b15jyho9ydk

Override lintian experimental tag "executable-in-usr-lib"

Lintian reports executable files in /usr/lib, since binaries which are
executed internally are supposed to be stored in /usr/libexec.  But
the executables we store in /usr/lib are all files to be copied into
the initial RAM disk image, and are never executed from their storage
location in /usr/lib.  Except one; the Dracut module-setup.sh file.
But that file seems to be required to be executable; the
module-setup.sh file of every other Dracut module is also an
executable file.

* debian/mandos-client.lintian-overrides: Override experimental tag
  "executable-in-usr-lib" about files which are not actually executed
  from this location, and only exist to be copied to the initial RAM
  disk image.  Also the Dracut module-setup.sh file, which merely
  follows the pattern of all other Dracut module-setup.sh files from
  other Dracut modules.

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2012-06-13">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

100

127

</arg>

101

128

<sbr/>

142

169

brings up network interfaces, uses the interfaces’ IPv6

143

170

link-local addresses to get network connectivity, uses Zeroconf

144

171

to find servers on the local network, and communicates with

145

servers using TLS with an OpenPGP key to ensure authenticity and

146

confidentiality. This client program keeps running, trying all

147

servers on the network, until it receives a satisfactory reply

148

or a TERM signal. After all servers have been tried, all

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

149

176

servers are periodically retried. If no servers are found it

150

177

will wait indefinitely for new servers to appear.

151

178

</para>

169

196

</para>

170

197

<para>

171

198

This program is not meant to be run directly; it is really meant

172

to run as a plugin of the <application>Mandos</application>

173

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

174

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

175

initial <acronym>RAM</acronym> disk environment because it is

176

specified as a <quote>keyscript</quote> in the <citerefentry>

177

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

178

</citerefentry> file.

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

179

202

</para>

180

203

</refsect1>

181

204

193

216

<title>OPTIONS</title>

194

217

<para>

195

218

This program is commonly not invoked from the command line; it

196

is normally started by the <application>Mandos</application>

197

plugin runner, see <citerefentry><refentrytitle

198

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

199

</citerefentry>. Any command line options this program accepts

200

are therefore normally provided by the plugin runner, and not

201

directly.

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

202

223

</para>

203

224

204

225

218

239

assumed to separate the address from the port number.

219

240

</para>

220

241

<para>

221

This option is normally only useful for testing and

222

debugging.

242

Normally, Zeroconf would be used to locate Mandos servers,

243

in which case this option would only be used when testing

244

and debugging.

223

245

</para>

224

246

</listitem>

225

247

</varlistentry>

226

248

227

249

228

250

<term><option>--interface=<replaceable

229

>NAME</replaceable></option></term>

251

>NAME</replaceable><arg rep='repeat'>,<replaceable

252

>NAME</replaceable></arg></option></term>

230

253

<term><option>-i

231

254

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

255

>NAME</replaceable></arg></option></term>

232

256

233

257

<para>

234

258

Comma separated list of network interfaces that will be

237

261

use all appropriate interfaces.

238

262

</para>

239

263

<para>

240

If the <option>--connect</option> option is used, this

241

specifies the interface to use to connect to the address

242

given.

264

If the <option>--connect</option> option is used, and

265

exactly one interface name is specified (except

266

<quote><literal>none</literal></quote>), this specifies

267

the interface to use to connect to the address given.

243

268

</para>

244

269

<para>

245

270

Note that since this program will normally run in the

254

279

</para>

255

280

<para>

256

281

<replaceable>NAME</replaceable> can be the string

257

<quote><literal>none</literal></quote>; this will not use

258

any specific interface, and will not bring up an interface

259

on startup. This is not recommended, and only meant for

260

advanced users.

282

<quote><literal>none</literal></quote>; this will make

283

<command>&COMMANDNAME;</command> only bring up interfaces

284

specified <emphasis>before</emphasis> this string. This

285

is not recommended, and only meant for advanced users.

261

286

</para>

262

287

</listitem>

263

288

</varlistentry>

291

316

</varlistentry>

292

317

293

318

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

294

347

<term><option>--priority=<replaceable

295

348

>STRING</replaceable></option></term>

296

349

305

358

306

359

<para>

307

360

Sets the number of bits to use for the prime number in the

308

TLS Diffie-Hellman key exchange. Default is 1024.

361

TLS Diffie-Hellman key exchange. The default value is

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

371

<term><option>--dh-params=<replaceable

372

>FILE</replaceable></option></term>

373

374

<para>

375

Specifies a PEM-encoded PKCS#3 file to read the parameters

376

needed by the TLS Diffie-Hellman key exchange from. If

377

this option is not given, or if the file for some reason

378

could not be used, the parameters will be generated on

379

startup, which will take some time and processing power.

380

Those using servers running under time, power or processor

381

constraints may want to generate such a file in advance

382

and use this option.

309

383

</para>

310

384

</listitem>

311

385

</varlistentry>

402

476

<title>OVERVIEW</title>

403

477

<xi:include href="../overview.xml"/>

404

478

<para>

405

This program is the client part. It is a plugin started by

406

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

407

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

408

an initial <acronym>RAM</acronym> disk environment.

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

409

504

</para>

410

505

<para>

411

506

This program could, theoretically, be used as a keyscript in

412

507

<filename>/etc/crypttab</filename>, but it would then be

413

508

impossible to enter a password for the encrypted root disk at

414

509

the console, since this program does not read from the console

415

at all. This is why a separate plugin runner (<citerefentry>

416

<refentrytitle>plugin-runner</refentrytitle>

417

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

418

both this program and others in in parallel,

419

<emphasis>one</emphasis> of which (<citerefentry>

420

<refentrytitle>password-prompt</refentrytitle>

421

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

422

passwords on the system console.

510

at all.

423

511

</para>

424

512

</refsect1>

425

513

438

526

439

527

440

528

<title>ENVIRONMENT</title>

529

530

531

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

532

533

<para>

534

This environment variable will be assumed to contain the

535

directory containing any helper executables. The use and

536

nature of these helper executables, if any, is purposely

537

not documented.

538

</para>

539

</listitem>

540

</varlistentry>

541

</variablelist>

441

542

<para>

442

This program does not use any environment variables, not even

443

the ones provided by <citerefentry><refentrytitle

543

This program does not use any other environment variables, not

544

even the ones provided by <citerefentry><refentrytitle

444

545

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

445

546

</citerefentry>.

446

547

</para>

508

609

It is not necessary to print any non-executable files

509

610

already in the network hook directory, these will be

510

611

copied implicitly if they otherwise satisfy the name

511

requirement.

612

requirements.

512

613

</para>

513

614

</listitem>

514

615

</varlistentry>

633

734

</listitem>

634

735

</varlistentry>

635

736

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

636

751

<term><filename

637

752

class="directory">/lib/mandos/network-hooks.d</filename></term>

638

753

646

761

</variablelist>

647

762

</refsect1>

648

763

649

650

651

652

653

764

765

766

<xi:include href="../bugs.xml"/>

767

</refsect1>

654

768

655

769

656

770

<title>EXAMPLE</title>

657

771

<para>

658

772

Note that normally, command line options will not be given

659

directly, but via options for the Mandos <citerefentry

660

><refentrytitle>plugin-runner</refentrytitle>

661

<manvolnum>8mandos</manvolnum></citerefentry>.

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

662

775

</para>

663

776

664

777

<para>

665

Normal invocation needs no options, if the network interface

778

Normal invocation needs no options, if the network interfaces

666

779

can be automatically determined:

667

780

</para>

668

781

<para>

671

784

</informalexample>

672

785

673

786

<para>

674

Search for Mandos servers (and connect to them) using another

675

interface:

787

Search for Mandos servers (and connect to them) using one

788

specific interface:

676

789

</para>

677

790

<para>

678

791

681

794

</informalexample>

682

795

683

796

<para>

684

Run in debug mode, and use a custom key:

797

Run in debug mode, and use custom keys:

685

798

</para>

686

799

<para>

687

800

688

801

689

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

690

803

691

804

</para>

692

805

</informalexample>

693

806

694

807

<para>

695

Run in debug mode, with a custom key, and do not use Zeroconf

808

Run in debug mode, with custom keys, and do not use Zeroconf

696

809

to locate a server; connect directly to the IPv6 link-local

697

810

address <quote><systemitem class="ipaddress"

698

811

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

701

814

<para>

702

815

703

816

704

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

705

818

706

819

</para>

707

820

</informalexample>

710

823

711

824

<title>SECURITY</title>

712

825

<para>

713

This program is set-uid to root, but will switch back to the

714

original (and presumably non-privileged) user and group after

715

bringing up the network interface.

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

716

829

</para>

717

830

<para>

718

831

To use this program for its intended purpose (see <xref

731

844

<para>

732

845

The only remaining weak point is that someone with physical

733

846

access to the client hard drive might turn off the client

734

computer, read the OpenPGP keys directly from the hard drive,

735

and communicate with the server. To safeguard against this, the

736

server is supposed to notice the client disappearing and stop

737

giving out the encrypted data. Therefore, it is important to

738

set the timeout and checker interval values tightly on the

739

server. See <citerefentry><refentrytitle

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

740

853

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

741

854

</para>

742

855

<para>

743

856

It will also help if the checker program on the server is

744

857

configured to request something from the client which can not be

745

spoofed by someone else on the network, unlike unencrypted

746

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

858

spoofed by someone else on the network, like SSH server key

859

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

860

echo (<quote>ping</quote>) replies.

747

861

</para>

748

862

<para>

749

863

<emphasis>Note</emphasis>: This makes it completely insecure to

765

879

<manvolnum>5</manvolnum></citerefentry>,

766

880

<citerefentry><refentrytitle>mandos</refentrytitle>

767

881

<manvolnum>8</manvolnum></citerefentry>,

768

<citerefentry><refentrytitle>password-prompt</refentrytitle>

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

769

883

<manvolnum>8mandos</manvolnum></citerefentry>,

770

884

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

771

885

<manvolnum>8mandos</manvolnum></citerefentry>

784

898

</varlistentry>

785

899

786

900

<term>

787

<ulink url="http://www.avahi.org/">Avahi</ulink>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

788

902

</term>

789

903

790

904

<para>

795

909

</varlistentry>

796

910

797

911

<term>

798

<ulink url="http://www.gnu.org/software/gnutls/"

799

>GnuTLS</ulink>

912

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

800

913

</term>

801

914

802

915

<para>

803

916

GnuTLS is the library this client uses to implement TLS for

804

917

communicating securely with the server, and at the same time

805

send the public OpenPGP key to the server.

918

send the public key to the server.

806

919

</para>

807

920

</listitem>

808

921

</varlistentry>

809

922

810

923

<term>

811

<ulink url="http://www.gnupg.org/related_software/gpgme/"

924

<ulink url="https://www.gnupg.org/related_software/gpgme/"

812

925

>GPGME</ulink>

813

926

</term>

814

927

842

955

<para>

843

956

This client uses IPv6 link-local addresses, which are

844

957

immediately usable since a link-local addresses is

845

automatically assigned to a network interfaces when it

958

automatically assigned to a network interface when it

846

959

is brought up.

847

960

</para>

848

961

</listitem>

852

965

</varlistentry>

853

966

854

967

<term>

855

RFC 4346: <citetitle>The Transport Layer Security (TLS)

856

Protocol Version 1.1</citetitle>

968

RFC 5246: <citetitle>The Transport Layer Security (TLS)

969

Protocol Version 1.2</citetitle>

857

970

</term>

858

971

859

972

<para>

860

TLS 1.1 is the protocol implemented by GnuTLS.

973

TLS 1.2 is the protocol implemented by GnuTLS.

861

974

</para>

862

975

</listitem>

863

976

</varlistentry>

874

987

</varlistentry>

875

988

876

989

<term>

877

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

878

1005

Security</citetitle>

879

1006

</term>

880

1007

881

1008

<para>

882

This is implemented by GnuTLS and used by this program so

883

that OpenPGP keys can be used.

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

884

1012

</para>

885

1013

</listitem>

886

1014

</varlistentry>

Older »