/mandos/trunk : revision 131

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-31 15:06:39 UTC
Revision ID: teddy@fukt.bsnet.se-20080831150639-tqdkyea3b9p3rou7

* Makefile: Make all DocBook rules include legalnotice.xml as a
            dependency.

* legalnotice.xml: New file with just the <legalnotice> tag in it.

* mandos-clients.conf.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".
* mandos-keygen.xml (/refentry/refentryinfo/legalnotice): - '' -
* mandos-conf.xml (/refentry/refentryinfo/legalnotice): - '' -
* mandos.xml (/refentry/refentryinfo/legalnotice): - '' -

* overview.xml: Changed root node tag name in DOCTYPE declaration.

* plugin-runner.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".

* plugins.d/password-prompt.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".

* plugins.d/password-request.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-31">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

110

100

<arg choice="plain"><option>--check</option></arg>

111

101

</cmdsynopsis>

112

102

</refsynopsisdiv>

113

103

114

104

115

105

<title>DESCRIPTION</title>

116

106

<para>

125

115

Any authenticated client is then given the stored pre-encrypted

126

116

password for that specific client.

127

117

</para>

118

128

119

</refsect1>

129

120

130

121

131

122

<title>PURPOSE</title>

123

132

124

<para>

133

125

The purpose of this is to enable <emphasis>remote and unattended

134

126

rebooting</emphasis> of client host computer with an

135

127

<emphasis>encrypted root file system</emphasis>. See <xref

136

128

linkend="overview"/> for details.

137

129

</para>

130

138

131

</refsect1>

139

132

140

133

141

134

<title>OPTIONS</title>

135

142

136

143

137

144

138

196

190

<xi:include href="mandos-options.xml" xpointer="debug"/>

197

191

</listitem>

198

192

</varlistentry>

199

200

201

<term><option>--debuglevel

202

<replaceable>LEVEL</replaceable></option></term>

203

204

<para>

205

Set the debugging log level.

206

<replaceable>LEVEL</replaceable> is a string, one of

207

<quote><literal>CRITICAL</literal></quote>,

208

<quote><literal>ERROR</literal></quote>,

209

<quote><literal>WARNING</literal></quote>,

210

<quote><literal>INFO</literal></quote>, or

211

<quote><literal>DEBUG</literal></quote>, in order of

212

increasing verbosity. The default level is

213

<quote><literal>WARNING</literal></quote>.

214

</para>

215

</listitem>

216

</varlistentry>

217

193

218

194

219

195

<term><option>--priority <replaceable>

220

196

PRIORITY</replaceable></option></term>

222

198

<xi:include href="mandos-options.xml" xpointer="priority"/>

223

199

</listitem>

224

200

</varlistentry>

225

201

226

202

227

203

<term><option>--servicename

228

204

231

207

xpointer="servicename"/>

232

208

</listitem>

233

209

</varlistentry>

234

210

235

211

236

212

<term><option>--configdir

237

213

<replaceable>DIRECTORY</replaceable></option></term>

246

222

</para>

247

223

</listitem>

248

224

</varlistentry>

249

225

250

226

251

227

<term><option>--version</option></term>

252

228

255

231

</para>

256

232

</listitem>

257

233

</varlistentry>

258

259

260

261

262

<xi:include href="mandos-options.xml" xpointer="dbus"/>

263

<para>

264

See also <xref linkend="dbus_interface"/>.

265

</para>

266

</listitem>

267

</varlistentry>

268

269

270

271

272

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

273

</listitem>

274

</varlistentry>

275

234

</variablelist>

276

235

</refsect1>

277

236

278

237

279

238

<title>OVERVIEW</title>

280

239

<xi:include href="overview.xml"/>

281

240

<para>

282

241

This program is the server part. It is a normal server program

283

242

and will run in a normal system environment, not in an initial

284

<acronym>RAM</acronym> disk environment.

243

RAM disk environment.

285

244

</para>

286

245

</refsect1>

287

246

288

247

289

248

<title>NETWORK PROTOCOL</title>

290

249

<para>

342

301

</row>

343

302

</tbody></tgroup></table>

344

303

</refsect1>

345

304

346

305

347

306

<title>CHECKING</title>

348

307

<para>

349

308

The server will, by default, continually check that the clients

350

309

are still up. If a client has not been confirmed as being up

351

310

for some time, the client is assumed to be compromised and is no

352

longer eligible to receive the encrypted password. (Manual

353

intervention is required to re-enable a client.) The timeout,

311

longer eligible to receive the encrypted password. The timeout,

354

312

checker program, and interval between checks can be configured

355

313

both globally and per client; see <citerefentry>

356

314

<refentrytitle>mandos-clients.conf</refentrytitle>

357

<manvolnum>5</manvolnum></citerefentry>. A client successfully

358

receiving its password will also be treated as a successful

359

checker run.

360

</para>

361

</refsect1>

362

363

364

<title>APPROVAL</title>

365

<para>

366

The server can be configured to require manual approval for a

367

client before it is sent its secret. The delay to wait for such

368

approval and the default action (approve or deny) can be

369

configured both globally and per client; see <citerefentry>

370

<refentrytitle>mandos-clients.conf</refentrytitle>

371

<manvolnum>5</manvolnum></citerefentry>. By default all clients

372

will be approved immediately without delay.

373

</para>

374

<para>

375

This can be used to deny a client its secret if not manually

376

approved within a specified time. It can also be used to make

377

the server delay before giving a client its secret, allowing

378

optional manual denying of this specific client.

379

</para>

380

381

</refsect1>

382

315

<manvolnum>5</manvolnum></citerefentry>.

316

</para>

317

</refsect1>

318

383

319

384

320

<title>LOGGING</title>

385

321

<para>

389

325

and also show them on the console.

390

326

</para>

391

327

</refsect1>

392

393

394

<title>D-BUS INTERFACE</title>

395

<para>

396

The server will by default provide a D-Bus system bus interface.

397

This interface will only be accessible by the root user or a

398

Mandos-specific user, if such a user exists. For documentation

399

of the D-Bus API, see the file <filename>DBUS-API</filename>.

400

</para>

401

</refsect1>

402

328

403

329

404

330

<title>EXIT STATUS</title>

405

331

<para>

407

333

critical error is encountered.

408

334

</para>

409

335

</refsect1>

410

336

411

337

412

338

<title>ENVIRONMENT</title>

413

339

427

353

</varlistentry>

428

354

</variablelist>

429

355

</refsect1>

430

431

356

357

432

358

<title>FILES</title>

433

359

<para>

434

360

Use the <option>--configdir</option> option to change where

457

383

</listitem>

458

384

</varlistentry>

459

385

460

<term><filename>/var/run/mandos.pid</filename></term>

386

<term><filename>/var/run/mandos/mandos.pid</filename></term>

461

387

462

388

<para>

463

The file containing the process id of the

464

<command>&COMMANDNAME;</command> process started last.

389

The file containing the process id of

390

<command>&COMMANDNAME;</command>.

465

391

</para>

466

392

</listitem>

467

393

</varlistentry>

495

421

backtrace. This could be considered a feature.

496

422

</para>

497

423

<para>

498

Currently, if a client is disabled due to having timed out, the

499

server does not record this fact onto permanent storage. This

500

has some security implications, see <xref linkend="clients"/>.

424

Currently, if a client is declared <quote>invalid</quote> due to

425

having timed out, the server does not record this fact onto

426

permanent storage. This has some security implications, see

427

<xref linkend="CLIENTS"/>.

428

</para>

429

<para>

430

There is currently no way of querying the server of the current

431

status of clients, other than analyzing its <systemitem

432

class="service">syslog</systemitem> output.

501

433

</para>

502

434

<para>

503

435

There is no fine-grained control over logging and debug output.

506

438

Debug mode is conflated with running in the foreground.

507

439

</para>

508

440

<para>

509

The console log messages do not show a time stamp.

510

</para>

511

<para>

512

This server does not check the expire time of clients’ OpenPGP

513

keys.

441

The console log messages does not show a timestamp.

514

442

</para>

515

443

</refsect1>

516

444

551

479

</para>

552

480

</informalexample>

553

481

</refsect1>

554

482

555

483

556

484

<title>SECURITY</title>

557

485

558

486

<title>SERVER</title>

559

487

<para>

560

488

Running this <command>&COMMANDNAME;</command> server program

561

489

should not in itself present any security risk to the host

562

computer running it. The program switches to a non-root user

563

soon after startup.

490

computer running it. The program does not need any special

491

privileges to run, and is designed to run as a non-root user.

564

492

</para>

565

493

</refsect2>

566

494

567

495

<title>CLIENTS</title>

568

496

<para>

569

497

The server only gives out its stored data to clients which

576

504

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

577

505

<manvolnum>5</manvolnum></citerefentry>)

578

506

<emphasis>must</emphasis> be made non-readable by anyone

579

except the user starting the server (usually root).

507

except the user running the server.

580

508

</para>

581

509

<para>

582

510

As detailed in <xref linkend="checking"/>, the status of all

585

513

</para>

586

514

<para>

587

515

If a client is compromised, its downtime should be duly noted

588

by the server which would therefore disable the client. But

589

if the server was ever restarted, it would re-read its client

590

list from its configuration file and again regard all clients

591

therein as enabled, and hence eligible to receive their

592

passwords. Therefore, be careful when restarting servers if

593

it is suspected that a client has, in fact, been compromised

594

by parties who may now be running a fake Mandos client with

595

the keys from the non-encrypted initial <acronym>RAM</acronym>

596

image of the client host. What should be done in that case

597

(if restarting the server program really is necessary) is to

598

stop the server program, edit the configuration file to omit

599

any suspect clients, and restart the server program.

516

by the server which would therefore declare the client

517

invalid. But if the server was ever restarted, it would

518

re-read its client list from its configuration file and again

519

regard all clients therein as valid, and hence eligible to

520

receive their passwords. Therefore, be careful when

521

restarting servers if it is suspected that a client has, in

522

fact, been compromised by parties who may now be running a

523

fake Mandos client with the keys from the non-encrypted

524

initial RAM image of the client host. What should be done in

525

that case (if restarting the server program really is

526

necessary) is to stop the server program, edit the

527

configuration file to omit any suspect clients, and restart

528

the server program.

600

529

</para>

601

530

<para>

602

531

For more details on client-side security, see

603

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

<citerefentry><refentrytitle>password-request</refentrytitle>

604

533

<manvolnum>8mandos</manvolnum></citerefentry>.

605

534

</para>

606

535

</refsect2>

607

536

</refsect1>

608

537

609

538

610

539

611

540

<para>

614

543

615

544

<refentrytitle>mandos.conf</refentrytitle>

616

545

617

<refentrytitle>mandos-client</refentrytitle>

546

<refentrytitle>password-request</refentrytitle>

618

547

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

619

548

620

549

</citerefentry>

Older »