/mandos/trunk : revision 1315

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2024-11-24 00:44:25 UTC
Revision ID: teddy@recompile.se-20241124004425-6k3y0ir1ksyjq3c4

mandos-keygen: Show warning about old OpenSSH versions

When generating a config file snippet on the Mandos client system
using mandos-keygen, and the default ssh-keyscan checker is used, and
if the OpenSSH version is 9.8 or later, the "checker" command
generated for the config file on the Mandos server will include the
"-q" option for ssh-keyscan.  This option did not exist on ssh-keyscan
from OpenSSH older than version 9.8.  Therefore, if the Mandos
*server* is running an older version of OpenSSH, where ssh-keyscan
does not support the "-q" option, this option must be removed from the
generated "checker" setting.  Since we cannot know if this is the case
when running mandos-keygen on the Mandos client system, we print this
information as a comment above the generated "checker" setting.

* mandos-keygen: Show warning if the new "-q" options was used with
  ssh-keyscan in the generated "checker" setting.

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
debian/upstream-signing-key.pgp

initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2014-03-01">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

100

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

101

126

<option>--delay <replaceable>SECONDS</replaceable></option>

102

127

</arg>

103

128

<sbr/>

144

169

brings up network interfaces, uses the interfaces’ IPv6

145

170

link-local addresses to get network connectivity, uses Zeroconf

146

171

to find servers on the local network, and communicates with

147

servers using TLS with an OpenPGP key to ensure authenticity and

148

confidentiality. This client program keeps running, trying all

149

servers on the network, until it receives a satisfactory reply

150

or a TERM signal. After all servers have been tried, all

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

151

176

servers are periodically retried. If no servers are found it

152

177

will wait indefinitely for new servers to appear.

153

178

</para>

171

196

</para>

172

197

<para>

173

198

This program is not meant to be run directly; it is really meant

174

to run as a plugin of the <application>Mandos</application>

175

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

176

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

177

initial <acronym>RAM</acronym> disk environment because it is

178

specified as a <quote>keyscript</quote> in the <citerefentry>

179

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

180

</citerefentry> file.

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

181

202

</para>

182

203

</refsect1>

183

204

195

216

<title>OPTIONS</title>

196

217

<para>

197

218

This program is commonly not invoked from the command line; it

198

is normally started by the <application>Mandos</application>

199

plugin runner, see <citerefentry><refentrytitle

200

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

201

</citerefentry>. Any command line options this program accepts

202

are therefore normally provided by the plugin runner, and not

203

directly.

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

204

223

</para>

205

224

206

225

261

280

<para>

262

281

<replaceable>NAME</replaceable> can be the string

263

282

<quote><literal>none</literal></quote>; this will make

264

<command>&COMMANDNAME;</command> not bring up

265

<emphasis>any</emphasis> interfaces specified

266

<emphasis>after</emphasis> this string. This is not

267

recommended, and only meant for advanced users.

283

<command>&COMMANDNAME;</command> only bring up interfaces

284

specified <emphasis>before</emphasis> this string. This

285

is not recommended, and only meant for advanced users.

268

286

</para>

269

287

</listitem>

270

288

</varlistentry>

298

316

</varlistentry>

299

317

300

318

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

301

347

<term><option>--priority=<replaceable

302

348

>STRING</replaceable></option></term>

303

349

312

358

313

359

<para>

314

360

Sets the number of bits to use for the prime number in the

315

TLS Diffie-Hellman key exchange. Default is 1024.

361

TLS Diffie-Hellman key exchange. The default value is

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

371

<term><option>--dh-params=<replaceable

372

>FILE</replaceable></option></term>

373

374

<para>

375

Specifies a PEM-encoded PKCS#3 file to read the parameters

376

needed by the TLS Diffie-Hellman key exchange from. If

377

this option is not given, or if the file for some reason

378

could not be used, the parameters will be generated on

379

startup, which will take some time and processing power.

380

Those using servers running under time, power or processor

381

constraints may want to generate such a file in advance

382

and use this option.

316

383

</para>

317

384

</listitem>

318

385

</varlistentry>

409

476

<title>OVERVIEW</title>

410

477

<xi:include href="../overview.xml"/>

411

478

<para>

412

This program is the client part. It is a plugin started by

413

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

414

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

415

an initial <acronym>RAM</acronym> disk environment.

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

416

504

</para>

417

505

<para>

418

506

This program could, theoretically, be used as a keyscript in

419

507

<filename>/etc/crypttab</filename>, but it would then be

420

508

impossible to enter a password for the encrypted root disk at

421

509

the console, since this program does not read from the console

422

at all. This is why a separate plugin runner (<citerefentry>

423

<refentrytitle>plugin-runner</refentrytitle>

424

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

425

both this program and others in in parallel,

426

<emphasis>one</emphasis> of which (<citerefentry>

427

<refentrytitle>password-prompt</refentrytitle>

428

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

429

passwords on the system console.

510

at all.

430

511

</para>

431

512

</refsect1>

432

513

445

526

446

527

447

528

<title>ENVIRONMENT</title>

529

530

531

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

532

533

<para>

534

This environment variable will be assumed to contain the

535

directory containing any helper executables. The use and

536

nature of these helper executables, if any, is purposely

537

not documented.

538

</para>

539

</listitem>

540

</varlistentry>

541

</variablelist>

448

542

<para>

449

This program does not use any environment variables, not even

450

the ones provided by <citerefentry><refentrytitle

543

This program does not use any other environment variables, not

544

even the ones provided by <citerefentry><refentrytitle

451

545

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

452

546

</citerefentry>.

453

547

</para>

640

734

</listitem>

641

735

</varlistentry>

642

736

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

643

751

<term><filename

644

752

class="directory">/lib/mandos/network-hooks.d</filename></term>

645

753

653

761

</variablelist>

654

762

</refsect1>

655

763

656

657

658

659

660

764

765

766

<xi:include href="../bugs.xml"/>

767

</refsect1>

661

768

662

769

663

770

<title>EXAMPLE</title>

664

771

<para>

665

772

Note that normally, command line options will not be given

666

directly, but via options for the Mandos <citerefentry

667

><refentrytitle>plugin-runner</refentrytitle>

668

<manvolnum>8mandos</manvolnum></citerefentry>.

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

669

775

</para>

670

776

671

777

<para>

688

794

</informalexample>

689

795

690

796

<para>

691

Run in debug mode, and use a custom key:

797

Run in debug mode, and use custom keys:

692

798

</para>

693

799

<para>

694

800

695

801

696

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

697

803

698

804

</para>

699

805

</informalexample>

700

806

701

807

<para>

702

Run in debug mode, with a custom key, and do not use Zeroconf

808

Run in debug mode, with custom keys, and do not use Zeroconf

703

809

to locate a server; connect directly to the IPv6 link-local

704

810

address <quote><systemitem class="ipaddress"

705

811

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

708

814

<para>

709

815

710

816

711

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

712

818

713

819

</para>

714

820

</informalexample>

717

823

718

824

<title>SECURITY</title>

719

825

<para>

720

This program is set-uid to root, but will switch back to the

721

original (and presumably non-privileged) user and group after

722

bringing up the network interface.

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

723

829

</para>

724

830

<para>

725

831

To use this program for its intended purpose (see <xref

738

844

<para>

739

845

The only remaining weak point is that someone with physical

740

846

access to the client hard drive might turn off the client

741

computer, read the OpenPGP keys directly from the hard drive,

742

and communicate with the server. To safeguard against this, the

743

server is supposed to notice the client disappearing and stop

744

giving out the encrypted data. Therefore, it is important to

745

set the timeout and checker interval values tightly on the

746

server. See <citerefentry><refentrytitle

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

747

853

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

748

854

</para>

749

855

<para>

750

856

It will also help if the checker program on the server is

751

857

configured to request something from the client which can not be

752

spoofed by someone else on the network, unlike unencrypted

753

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

858

spoofed by someone else on the network, like SSH server key

859

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

860

echo (<quote>ping</quote>) replies.

754

861

</para>

755

862

<para>

756

863

<emphasis>Note</emphasis>: This makes it completely insecure to

772

879

<manvolnum>5</manvolnum></citerefentry>,

773

880

<citerefentry><refentrytitle>mandos</refentrytitle>

774

881

<manvolnum>8</manvolnum></citerefentry>,

775

<citerefentry><refentrytitle>password-prompt</refentrytitle>

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

776

883

<manvolnum>8mandos</manvolnum></citerefentry>,

777

884

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

778

885

<manvolnum>8mandos</manvolnum></citerefentry>

791

898

</varlistentry>

792

899

793

900

<term>

794

<ulink url="http://www.avahi.org/">Avahi</ulink>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

795

902

</term>

796

903

797

904

<para>

802

909

</varlistentry>

803

910

804

911

<term>

805

<ulink url="http://www.gnu.org/software/gnutls/"

806

>GnuTLS</ulink>

912

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

807

913

</term>

808

914

809

915

<para>

810

916

GnuTLS is the library this client uses to implement TLS for

811

917

communicating securely with the server, and at the same time

812

send the public OpenPGP key to the server.

918

send the public key to the server.

813

919

</para>

814

920

</listitem>

815

921

</varlistentry>

816

922

817

923

<term>

818

<ulink url="http://www.gnupg.org/related_software/gpgme/"

924

<ulink url="https://www.gnupg.org/related_software/gpgme/"

819

925

>GPGME</ulink>

820

926

</term>

821

927

859

965

</varlistentry>

860

966

861

967

<term>

862

RFC 4346: <citetitle>The Transport Layer Security (TLS)

863

Protocol Version 1.1</citetitle>

968

RFC 5246: <citetitle>The Transport Layer Security (TLS)

969

Protocol Version 1.2</citetitle>

864

970

</term>

865

971

866

972

<para>

867

TLS 1.1 is the protocol implemented by GnuTLS.

973

TLS 1.2 is the protocol implemented by GnuTLS.

868

974

</para>

869

975

</listitem>

870

976

</varlistentry>

881

987

</varlistentry>

882

988

883

989

<term>

884

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

885

1005

Security</citetitle>

886

1006

</term>

887

1007

888

1008

<para>

889

This is implemented by GnuTLS and used by this program so

890

that OpenPGP keys can be used.

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

891

1012

</para>

892

1013

</listitem>

893

1014

</varlistentry>

Older »