/mandos/trunk : revision 1322

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2025-10-27 20:41:11 UTC
Revision ID: teddy@recompile.se-20251027204111-kj8ighpkb6e2ei4f

http://bugs.debian.org/1118977

From: Carles Pina i Estany <carles@pina.cat>

Add Catalan debconf translation

* debian/po/ca.po: New.

Closes: #1118977
Acked-by: Teddy Hogeborn <teddy@recompile.se>

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/ca.po

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2012-06-13">

<!ENTITY TIMESTAMP "2025-06-27">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

101

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--tls-privkey

106

107

<arg choice="plain"><option>-t

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--tls-pubkey

113

114

<arg choice="plain"><option>-T

115

116

</group>

117

<sbr/>

118

<arg>

119

<option>--priority <replaceable>STRING</replaceable></option>

120

</arg>

124

</arg>

125

<sbr/>

126

<arg>

127

<option>--dh-params <replaceable>FILE</replaceable></option>

128

</arg>

129

<sbr/>

130

<arg>

131

<option>--delay <replaceable>SECONDS</replaceable></option>

100

132

</arg>

101

133

<sbr/>

142

174

brings up network interfaces, uses the interfaces’ IPv6

143

175

link-local addresses to get network connectivity, uses Zeroconf

144

176

to find servers on the local network, and communicates with

145

servers using TLS with an OpenPGP key to ensure authenticity and

146

confidentiality. This client program keeps running, trying all

147

servers on the network, until it receives a satisfactory reply

148

or a TERM signal. After all servers have been tried, all

177

servers using TLS with a raw public key to ensure authenticity

178

and confidentiality. This client program keeps running, trying

179

all servers on the network, until it receives a satisfactory

180

reply or a TERM signal. After all servers have been tried, all

149

181

servers are periodically retried. If no servers are found it

150

182

will wait indefinitely for new servers to appear.

151

183

</para>

169

201

</para>

170

202

<para>

171

203

This program is not meant to be run directly; it is really meant

172

to run as a plugin of the <application>Mandos</application>

173

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

174

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

175

initial <acronym>RAM</acronym> disk environment because it is

176

specified as a <quote>keyscript</quote> in the <citerefentry>

177

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

178

</citerefentry> file.

204

to be run by other programs in the initial

205

<acronym>RAM</acronym> disk environment; see <xref

206

linkend="overview"/>.

179

207

</para>

180

208

</refsect1>

181

209

193

221

<title>OPTIONS</title>

194

222

<para>

195

223

This program is commonly not invoked from the command line; it

196

is normally started by the <application>Mandos</application>

197

plugin runner, see <citerefentry><refentrytitle

198

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

199

</citerefentry>. Any command line options this program accepts

200

are therefore normally provided by the plugin runner, and not

201

directly.

224

is normally started by another program as described in <xref

225

linkend="description"/>. Any command line options this program

226

accepts are therefore normally provided by the invoking program,

227

and not directly.

202

228

</para>

203

229

204

230

218

244

assumed to separate the address from the port number.

219

245

</para>

220

246

<para>

221

This option is normally only useful for testing and

222

debugging.

247

Normally, Zeroconf would be used to locate Mandos servers,

248

in which case this option would only be used when testing

249

and debugging.

223

250

</para>

224

251

</listitem>

225

252

</varlistentry>

226

253

227

254

228

255

<term><option>--interface=<replaceable

229

>NAME</replaceable></option></term>

256

>NAME</replaceable><arg rep='repeat'>,<replaceable

257

>NAME</replaceable></arg></option></term>

230

258

<term><option>-i

231

259

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

260

>NAME</replaceable></arg></option></term>

232

261

233

262

<para>

234

263

Comma separated list of network interfaces that will be

237

266

use all appropriate interfaces.

238

267

</para>

239

268

<para>

240

If the <option>--connect</option> option is used, this

241

specifies the interface to use to connect to the address

242

given.

269

If the <option>--connect</option> option is used, and

270

exactly one interface name is specified (except

271

<quote><literal>none</literal></quote>), this specifies

272

the interface to use to connect to the address given.

243

273

</para>

244

274

<para>

245

275

Note that since this program will normally run in the

254

284

</para>

255

285

<para>

256

286

<replaceable>NAME</replaceable> can be the string

257

<quote><literal>none</literal></quote>; this will not use

258

any specific interface, and will not bring up an interface

259

on startup. This is not recommended, and only meant for

260

advanced users.

287

<quote><literal>none</literal></quote>; this will make

288

<command>&COMMANDNAME;</command> only bring up interfaces

289

specified <emphasis>before</emphasis> this string. This

290

is not recommended, and only meant for advanced users.

261

291

</para>

262

292

</listitem>

263

293

</varlistentry>

291

321

</varlistentry>

292

322

293

323

324

<term><option>--tls-pubkey=<replaceable

325

>FILE</replaceable></option></term>

326

<term><option>-T

327

328

329

<para>

330

TLS raw public key file name. The default name is

331

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

332

></quote>.

333

</para>

334

</listitem>

335

</varlistentry>

336

337

338

<term><option>--tls-privkey=<replaceable

339

>FILE</replaceable></option></term>

340

<term><option>-t

341

342

343

<para>

344

TLS secret key file name. The default name is

345

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

346

></quote>.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

294

352

<term><option>--priority=<replaceable

295

353

>STRING</replaceable></option></term>

296

354

305

363

306

364

<para>

307

365

Sets the number of bits to use for the prime number in the

308

TLS Diffie-Hellman key exchange. Default is 1024.

366

TLS Diffie-Hellman key exchange. The default value is

367

selected automatically based on the GnuTLS security

368

profile set in its priority string. Note that if the

369

<option>--dh-params</option> option is used, the values

370

from that file will be used instead.

371

</para>

372

</listitem>

373

</varlistentry>

374

375

376

<term><option>--dh-params=<replaceable

377

>FILE</replaceable></option></term>

378

379

<para>

380

Specifies a PEM-encoded PKCS#3 file to read the parameters

381

needed by the TLS Diffie-Hellman key exchange from. If

382

this option is not given, or if the file for some reason

383

could not be used, the parameters will be generated on

384

startup, which will take some time and processing power.

385

Those using servers running under time, power or processor

386

constraints may want to generate such a file in advance

387

and use this option.

309

388

</para>

310

389

</listitem>

311

390

</varlistentry>

402

481

<title>OVERVIEW</title>

403

482

<xi:include href="../overview.xml"/>

404

483

<para>

405

This program is the client part. It is a plugin started by

406

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

407

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

408

an initial <acronym>RAM</acronym> disk environment.

484

This program is the client part. It is run automatically in an

485

initial <acronym>RAM</acronym> disk environment.

486

</para>

487

<para>

488

In an initial <acronym>RAM</acronym> disk environment using

489

<citerefentry><refentrytitle>systemd</refentrytitle>

490

<manvolnum>1</manvolnum></citerefentry>, this program is started

491

by the <application>Mandos</application> <citerefentry>

492

<refentrytitle>password-agent</refentrytitle>

493

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

494

started automatically by the <citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> <quote>Password Agent</quote> system.

497

</para>

498

<para>

499

In the case of a non-<citerefentry>

500

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

501

</citerefentry> environment, this program is started as a plugin

502

of the <application>Mandos</application> <citerefentry>

503

<refentrytitle>plugin-runner</refentrytitle>

504

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

505

initial <acronym>RAM</acronym> disk environment because it is

506

specified as a <quote>keyscript</quote> in the <citerefentry>

507

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

508

</citerefentry> file.

409

509

</para>

410

510

<para>

411

511

This program could, theoretically, be used as a keyscript in

412

512

<filename>/etc/crypttab</filename>, but it would then be

413

513

impossible to enter a password for the encrypted root disk at

414

514

the console, since this program does not read from the console

415

at all. This is why a separate plugin runner (<citerefentry>

416

<refentrytitle>plugin-runner</refentrytitle>

417

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

418

both this program and others in in parallel,

419

<emphasis>one</emphasis> of which (<citerefentry>

420

<refentrytitle>password-prompt</refentrytitle>

421

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

422

passwords on the system console.

515

at all.

423

516

</para>

424

517

</refsect1>

425

518

438

531

439

532

440

533

<title>ENVIRONMENT</title>

534

535

536

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

537

538

<para>

539

This environment variable will be assumed to contain the

540

directory containing any helper executables. The use and

541

nature of these helper executables, if any, is purposely

542

not documented.

543

</para>

544

</listitem>

545

</varlistentry>

546

</variablelist>

441

547

<para>

442

This program does not use any environment variables, not even

443

the ones provided by <citerefentry><refentrytitle

548

This program does not use any other environment variables, not

549

even the ones provided by <citerefentry><refentrytitle

444

550

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

445

551

</citerefentry>.

446

552

</para>

508

614

It is not necessary to print any non-executable files

509

615

already in the network hook directory, these will be

510

616

copied implicitly if they otherwise satisfy the name

511

requirement.

617

requirements.

512

618

</para>

513

619

</listitem>

514

620

</varlistentry>

633

739

</listitem>

634

740

</varlistentry>

635

741

742

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

743

></term>

744

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

745

></term>

746

747

<para>

748

Public and private raw key files, in <quote>PEM</quote>

749

format. These are the default file names, they can be

750

changed with the <option>--tls-pubkey</option> and

751

<option>--tls-privkey</option> options.

752

</para>

753

</listitem>

754

</varlistentry>

755

636

756

<term><filename

637

757

class="directory">/lib/mandos/network-hooks.d</filename></term>

638

758

646

766

</variablelist>

647

767

</refsect1>

648

768

649

650

651

652

653

769

770

771

<xi:include href="../bugs.xml"/>

772

</refsect1>

654

773

655

774

656

775

<title>EXAMPLE</title>

657

776

<para>

658

777

Note that normally, command line options will not be given

659

directly, but via options for the Mandos <citerefentry

660

><refentrytitle>plugin-runner</refentrytitle>

661

<manvolnum>8mandos</manvolnum></citerefentry>.

778

directly, but passed on via the program responsible for starting

779

this program; see <xref linkend="overview"/>.

662

780

</para>

663

781

664

782

<para>

665

Normal invocation needs no options, if the network interface

783

Normal invocation needs no options, if the network interfaces

666

784

can be automatically determined:

667

785

</para>

668

786

<para>

671

789

</informalexample>

672

790

673

791

<para>

674

Search for Mandos servers (and connect to them) using another

675

interface:

792

Search for Mandos servers (and connect to them) using one

793

specific interface:

676

794

</para>

677

795

<para>

678

796

681

799

</informalexample>

682

800

683

801

<para>

684

Run in debug mode, and use a custom key:

802

Run in debug mode, and use custom keys:

685

803

</para>

686

804

<para>

687

805

688

806

689

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

807

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

690

808

691

809

</para>

692

810

</informalexample>

693

811

694

812

<para>

695

Run in debug mode, with a custom key, and do not use Zeroconf

813

Run in debug mode, with custom keys, and do not use Zeroconf

696

814

to locate a server; connect directly to the IPv6 link-local

697

815

address <quote><systemitem class="ipaddress"

698

816

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

701

819

<para>

702

820

703

821

704

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

822

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

705

823

706

824

</para>

707

825

</informalexample>

710

828

711

829

<title>SECURITY</title>

712

830

<para>

713

This program is set-uid to root, but will switch back to the

714

original (and presumably non-privileged) user and group after

715

bringing up the network interface.

831

This program assumes that it is set-uid to root, and will switch

832

back to the original (and presumably non-privileged) user and

833

group after bringing up the network interface.

716

834

</para>

717

835

<para>

718

836

To use this program for its intended purpose (see <xref

731

849

<para>

732

850

The only remaining weak point is that someone with physical

733

851

access to the client hard drive might turn off the client

734

computer, read the OpenPGP keys directly from the hard drive,

735

and communicate with the server. To safeguard against this, the

736

server is supposed to notice the client disappearing and stop

737

giving out the encrypted data. Therefore, it is important to

738

set the timeout and checker interval values tightly on the

739

server. See <citerefentry><refentrytitle

852

computer, read the OpenPGP and TLS keys directly from the hard

853

drive, and communicate with the server. To safeguard against

854

this, the server is supposed to notice the client disappearing

855

and stop giving out the encrypted data. Therefore, it is

856

important to set the timeout and checker interval values tightly

857

on the server. See <citerefentry><refentrytitle

740

858

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

741

859

</para>

742

860

<para>

743

861

It will also help if the checker program on the server is

744

862

configured to request something from the client which can not be

745

spoofed by someone else on the network, unlike unencrypted

746

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

863

spoofed by someone else on the network, like SSH server key

864

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

865

echo (<quote>ping</quote>) replies.

747

866

</para>

748

867

<para>

749

868

<emphasis>Note</emphasis>: This makes it completely insecure to

765

884

<manvolnum>5</manvolnum></citerefentry>,

766

885

<citerefentry><refentrytitle>mandos</refentrytitle>

767

886

<manvolnum>8</manvolnum></citerefentry>,

768

<citerefentry><refentrytitle>password-prompt</refentrytitle>

887

<citerefentry><refentrytitle>password-agent</refentrytitle>

769

888

<manvolnum>8mandos</manvolnum></citerefentry>,

770

889

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

771

890

<manvolnum>8mandos</manvolnum></citerefentry>

784

903

</varlistentry>

785

904

786

905

<term>

787

<ulink url="http://www.avahi.org/">Avahi</ulink>

906

<ulink url="https://www.avahi.org/">Avahi</ulink>

788

907

</term>

789

908

790

909

<para>

795

914

</varlistentry>

796

915

797

916

<term>

798

<ulink url="http://www.gnu.org/software/gnutls/"

799

>GnuTLS</ulink>

917

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

800

918

</term>

801

919

802

920

<para>

803

921

GnuTLS is the library this client uses to implement TLS for

804

922

communicating securely with the server, and at the same time

805

send the public OpenPGP key to the server.

923

send the public key to the server.

806

924

</para>

807

925

</listitem>

808

926

</varlistentry>

809

927

810

928

<term>

811

<ulink url="http://www.gnupg.org/related_software/gpgme/"

929

<ulink url="https://www.gnupg.org/related_software/gpgme/"

812

930

>GPGME</ulink>

813

931

</term>

814

932

842

960

<para>

843

961

This client uses IPv6 link-local addresses, which are

844

962

immediately usable since a link-local addresses is

845

automatically assigned to a network interfaces when it

963

automatically assigned to a network interface when it

846

964

is brought up.

847

965

</para>

848

966

</listitem>

852

970

</varlistentry>

853

971

854

972

<term>

855

RFC 4346: <citetitle>The Transport Layer Security (TLS)

856

Protocol Version 1.1</citetitle>

973

RFC 5246: <citetitle>The Transport Layer Security (TLS)

974

Protocol Version 1.2</citetitle>

857

975

</term>

858

976

859

977

<para>

860

TLS 1.1 is the protocol implemented by GnuTLS.

978

TLS 1.2 is the protocol implemented by GnuTLS.

861

979

</para>

862

980

</listitem>

863

981

</varlistentry>

874

992

</varlistentry>

875

993

876

994

<term>

877

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

995

RFC 7250: <citetitle>Using Raw Public Keys in Transport

996

Layer Security (TLS) and Datagram Transport Layer Security

997

(DTLS)</citetitle>

998

</term>

999

1000

<para>

1001

This is implemented by GnuTLS in version 3.6.6 and is, if

1002

present, used by this program so that raw public keys can be

1003

used.

1004

</para>

1005

</listitem>

1006

</varlistentry>

1007

1008

<term>

1009

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

878

1010

Security</citetitle>

879

1011

</term>

880

1012

881

1013

<para>

882

This is implemented by GnuTLS and used by this program so

883

that OpenPGP keys can be used.

1014

This is implemented by GnuTLS before version 3.6.0 and is,

1015

if present, used by this program so that OpenPGP keys can be

1016

used.

884

1017

</para>

885

1018

</listitem>

886

1019

</varlistentry>

Older »