/mandos/trunk : revision 142

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-09-02 17:42:53 UTC
Revision ID: teddy@fukt.bsnet.se-20080902174253-p3wxrq7z6ccnv7fs

* plugins.d/password-request.c (main): Change default GnuTLS priority
                                       string to
                             "SECURE256":!CTYPE-X.509:+CTYPE-OPENPGP".

* plugins.d/password-request.xml (DESCRIPTION): Improve wording.
  (PURPOSE, OVERVIEW): New sections.
  (OPTIONS): Improved wording.
  (EXIT STATUS): Add text.
  (ENVIRONMENT): Commented out.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2009-01-24">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for <application>Mandos</application>

Client for mandos

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

115

120

</group>

116

121

</cmdsynopsis>

117

122

</refsynopsisdiv>

118

123

119

124

120

125

<title>DESCRIPTION</title>

121

126

<para>

122

127

<command>&COMMANDNAME;</command> is a client program that

123

128

communicates with <citerefentry><refentrytitle

124

129

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

125

to get a password. In slightly more detail, this client program

126

brings up a network interface, uses the interface’s IPv6

127

link-local address to get network connectivity, uses Zeroconf to

128

find servers on the local network, and communicates with servers

129

using TLS with an OpenPGP key to ensure authenticity and

130

confidentiality. This client program keeps running, trying all

131

servers on the network, until it receives a satisfactory reply

132

or a TERM signal is received. If no servers are found, or after

133

all servers have been tried, it waits indefinitely for new

134

servers to appear.

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find the server, and TLS with

132

an OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply.

135

</para>

136

<para>

137

This program is not meant to be run directly; it is really meant

138

to run as a plugin of the <application>Mandos</application>

139

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

140

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

141

initial <acronym>RAM</acronym> disk environment because it is

142

specified as a <quote>keyscript</quote> in the <citerefentry>

143

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

144

</citerefentry> file.

140

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn

141

runs as a <quote>keyscript</quote> specified in the

142

<citerefentry><refentrytitle>crypttab</refentrytitle>

143

<manvolnum>5</manvolnum></citerefentry> file.

145

144

</para>

146

145

</refsect1>

147

146

155

154

</para>

156

155

</refsect1>

157

156

157

158

<title>OVERVIEW</title>

159

<xi:include href="overview.xml"/>

160

<para>

161

This program is the client part. It is a plugin started by

162

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

164

an initial <acronym>RAM</acronym> disk environment.

165

</para>

166

<para>

167

This program could, theoretically, be used as a keyscript in

168

<filename>/etc/crypttab</filename>, but it would then be

169

impossible to enter the encrypted root disk password at the

170

console, since this program does not read from the console at

171

all. This is why a separate plugin does that, which will be run

172

in parallell to this one.

173

</para>

174

</refsect1>

175

158

176

159

177

<title>OPTIONS</title>

160

178

<para>

170

188

171

189

172

190

<term><option>--connect=<replaceable

173

>ADDRESS</replaceable><literal>:</literal><replaceable

191

>IPADDR</replaceable><literal>:</literal><replaceable

174

192

>PORT</replaceable></option></term>

175

193

<term><option>-c

176

<replaceable>ADDRESS</replaceable><literal>:</literal

194

<replaceable>IPADDR</replaceable><literal>:</literal

177

195

><replaceable>PORT</replaceable></option></term>

178

196

179

197

<para>

184

202

assumed to separate the address from the port number.

185

203

</para>

186

204

<para>

187

This option is normally only useful for testing and

188

debugging.

205

This option is normally only useful for debugging.

189

206

</para>

190

207

</listitem>

191

208

</varlistentry>

192

209

193

210

211

<term><option>--keydir=<replaceable

212

>DIRECTORY</replaceable></option></term>

213

<term><option>-d

214

<replaceable>DIRECTORY</replaceable></option></term>

215

216

<para>

217

Directory to read the OpenPGP key files

218

<filename>pubkey.txt</filename> and

219

<filename>seckey.txt</filename> from. The default is

220

<filename>/conf/conf.d/mandos</filename> (in the initial

221

<acronym>RAM</acronym> disk environment).

222

</para>

223

</listitem>

224

</varlistentry>

225

226

194

227

<term><option>--interface=

195

228

196

229

<term><option>-i

201

234

Mandos servers to connect to. The default it

202

235

<quote><literal>eth0</literal></quote>.

203

236

</para>

204

<para>

205

If the <option>--connect</option> option is used, this

206

specifies the interface to use to connect to the address

207

given.

208

</para>

209

<para>

210

Note that since this program will normally run in the

211

initial RAM disk environment, the interface must be an

212

interface which exists at that stage. Thus, the interface

213

can not be a pseudo-interface such as <quote>br0</quote>

214

or <quote>tun0</quote>; such interfaces will not exist

215

until much later in the boot process, and can not be used

216

by this program.

217

</para>

218

237

</listitem>

219

238

</varlistentry>

220

239

225

244

226

245

227

246

<para>

228

OpenPGP public key file name. The default name is

229

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

230

></quote>.

247

OpenPGP public key file name. This will be combined with

248

the directory from the <option>--keydir</option> option to

249

form an absolute file name. The default name is

250

<quote><literal>pubkey.txt</literal></quote>.

231

251

</para>

232

252

</listitem>

233

253

</varlistentry>

234

254

235

255

236

256

<term><option>--seckey=<replaceable

237

257

>FILE</replaceable></option></term>

239

259

240

260

241

261

<para>

242

OpenPGP secret key file name. The default name is

243

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

244

></quote>.

262

OpenPGP secret key file name. This will be combined with

263

the directory from the <option>--keydir</option> option to

264

form an absolute file name. The default name is

265

<quote><literal>seckey.txt</literal></quote>.

245

266

</para>

246

267

</listitem>

247

268

</varlistentry>

250

271

<term><option>--priority=<replaceable

251

272

>STRING</replaceable></option></term>

252

273

253

<xi:include href="../mandos-options.xml"

254

xpointer="priority"/>

274

<xi:include href="mandos-options.xml" xpointer="priority"/>

255

275

</listitem>

256

276

</varlistentry>

257

277

258

278

259

279

<term><option>--dh-bits=<replaceable

260

280

>BITS</replaceable></option></term>

300

320

</para>

301

321

</listitem>

302

322

</varlistentry>

303

323

304

324

305

325

<term><option>--version</option></term>

306

326

312

332

</varlistentry>

313

333

</variablelist>

314

334

</refsect1>

315

316

317

<title>OVERVIEW</title>

318

<xi:include href="../overview.xml"/>

319

<para>

320

This program is the client part. It is a plugin started by

321

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

322

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

323

an initial <acronym>RAM</acronym> disk environment.

324

</para>

325

<para>

326

This program could, theoretically, be used as a keyscript in

327

<filename>/etc/crypttab</filename>, but it would then be

328

impossible to enter a password for the encrypted root disk at

329

the console, since this program does not read from the console

330

at all. This is why a separate plugin runner (<citerefentry>

331

<refentrytitle>plugin-runner</refentrytitle>

332

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

333

both this program and others in in parallel,

334

<emphasis>one</emphasis> of which will prompt for passwords on

335

the system console.

336

</para>

337

</refsect1>

338

335

339

336

340

337

<title>EXIT STATUS</title>

341

338

<para>

344

341

successfully decrypted and output on standard output. The

345

342

program will exit with a non-zero exit status only if a critical

346

343

error occurs. Otherwise, it will forever connect to new

347

<application>Mandos</application> servers as they appear, trying

348

to get a decryptable password and print it.

349

</para>

350

</refsect1>

351

352

353

<title>ENVIRONMENT</title>

354

<para>

355

This program does not use any environment variables, not even

356

the ones provided by <citerefentry><refentrytitle

357

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

358

</citerefentry>.

359

</para>

360

</refsect1>

361

362

363

<title>FILES</title>

364

365

366

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

367

></term>

368

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

369

></term>

370

371

<para>

372

OpenPGP public and private key files, in <quote>ASCII

373

Armor</quote> format. These are the default file names,

374

they can be changed with the <option>--pubkey</option> and

375

<option>--seckey</option> options.

376

</para>

377

</listitem>

378

</varlistentry>

379

</variablelist>

380

</refsect1>

381

382

383

344

<application>Mandosservers</application> servers as they appear,

345

trying to get a decryptable password.

346

</para>

347

</refsect1>

348

349

350

384

351

352

385

353

386

354

387

355

356

357

<title>FILES</title>

358

<para>

359

</para>

360

</refsect1>

361

362

363

364

<para>

365

</para>

366

</refsect1>

367

388

368

389

369

<title>EXAMPLE</title>

390

370

<para>

391

Note that normally, command line options will not be given

392

directly, but via options for the Mandos <citerefentry

393

><refentrytitle>plugin-runner</refentrytitle>

394

<manvolnum>8mandos</manvolnum></citerefentry>.

395

371

</para>

396

397

<para>

398

Normal invocation needs no options, if the network interface

399

is <quote>eth0</quote>:

400

</para>

401

<para>

402

<userinput>&COMMANDNAME;</userinput>

403

</para>

404

</informalexample>

405

406

<para>

407

Search for Mandos servers (and connect to them) using another

408

interface:

409

</para>

410

<para>

411

412

<userinput>&COMMANDNAME; --interface eth1</userinput>

413

</para>

414

</informalexample>

415

416

<para>

417

Run in debug mode, and use a custom key:

418

</para>

419

<para>

420

421

422

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

423

424

</para>

425

</informalexample>

426

427

<para>

428

Run in debug mode, with a custom key, and do not use Zeroconf

429

to locate a server; connect directly to the IPv6 address

430

<quote><systemitem class="ipaddress"

431

>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,

432

port 4711, using interface eth2:

433

</para>

434

<para>

435

436

437

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

438

439

</para>

440

</informalexample>

441

372

</refsect1>

442

373

443

374

444

375

<title>SECURITY</title>

445

376

<para>

446

This program is set-uid to root, but will switch back to the

447

original (and presumably non-privileged) user and group after

448

bringing up the network interface.

449

</para>

450

<para>

451

To use this program for its intended purpose (see <xref

452

linkend="purpose"/>), the password for the root file system will

453

have to be given out to be stored in a server computer, after

454

having been encrypted using an OpenPGP key. This encrypted data

455

which will be stored in a server can only be decrypted by the

456

OpenPGP key, and the data will only be given out to those

457

clients who can prove they actually have that key. This key,

458

however, is stored unencrypted on the client side in its initial

459

<acronym>RAM</acronym> disk image file system. This is normally

460

readable by all, but this is normally fixed during installation

461

of this program; file permissions are set so that no-one is able

462

to read that file.

463

</para>

464

<para>

465

The only remaining weak point is that someone with physical

466

access to the client hard drive might turn off the client

467

computer, read the OpenPGP keys directly from the hard drive,

468

and communicate with the server. To safeguard against this, the

469

server is supposed to notice the client disappearing and stop

470

giving out the encrypted data. Therefore, it is important to

471

set the timeout and checker interval values tightly on the

472

server. See <citerefentry><refentrytitle

473

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

474

</para>

475

<para>

476

It will also help if the checker program on the server is

477

configured to request something from the client which can not be

478

spoofed by someone else on the network, unlike unencrypted

479

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

480

</para>

481

<para>

482

<emphasis>Note</emphasis>: This makes it completely insecure to

483

have <application >Mandos</application> clients which dual-boot

484

to another operating system which is <emphasis>not</emphasis>

485

trusted to keep the initial <acronym>RAM</acronym> disk image

486

confidential.

487

377

</para>

488

378

</refsect1>

489

379

490

380

491

381

492

382

<para>

493

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

494

<manvolnum>8</manvolnum></citerefentry>,

495

<citerefentry><refentrytitle>crypttab</refentrytitle>

496

<manvolnum>5</manvolnum></citerefentry>,

497

383

<citerefentry><refentrytitle>mandos</refentrytitle>

498

384

<manvolnum>8</manvolnum></citerefentry>,

499

385

<citerefentry><refentrytitle>password-prompt</refentrytitle>

501

387

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

502

388

<manvolnum>8mandos</manvolnum></citerefentry>

503

389

</para>

504

505

506

<term>

507

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

508

</term>

509

510

<para>

511

Zeroconf is the network protocol standard used for finding

512

Mandos servers on the local network.

513

</para>

514

</listitem>

515

</varlistentry>

516

517

<term>

518

<ulink url="http://www.avahi.org/">Avahi</ulink>

519

</term>

520

521

<para>

522

Avahi is the library this program calls to find Zeroconf

523

services.

524

</para>

525

</listitem>

526

</varlistentry>

527

528

<term>

529

<ulink url="http://www.gnu.org/software/gnutls/"

530

>GnuTLS</ulink>

531

</term>

532

533

<para>

534

GnuTLS is the library this client uses to implement TLS for

535

communicating securely with the server, and at the same time

536

send the public OpenPGP key to the server.

537

</para>

538

</listitem>

539

</varlistentry>

540

541

<term>

542

<ulink url="http://www.gnupg.org/related_software/gpgme/"

543

>GPGME</ulink>

544

</term>

545

546

<para>

547

GPGME is the library used to decrypt the OpenPGP data sent

548

by the server.

549

</para>

550

</listitem>

551

</varlistentry>

552

553

<term>

554

RFC 4291: <citetitle>IP Version 6 Addressing

555

Architecture</citetitle>

556

</term>

557

558

559

560

<term>Section 2.2: <citetitle>Text Representation of

561

Addresses</citetitle></term>

562

563

</varlistentry>

564

565

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

566

Address</citetitle></term>

567

568

</varlistentry>

569

570

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

571

Addresses</citetitle></term>

572

573

<para>

574

This client uses IPv6 link-local addresses, which are

575

immediately usable since a link-local addresses is

576

automatically assigned to a network interfaces when it

577

is brought up.

578

</para>

579

</listitem>

580

</varlistentry>

581

</variablelist>

582

</listitem>

583

</varlistentry>

584

585

<term>

586

RFC 4346: <citetitle>The Transport Layer Security (TLS)

587

Protocol Version 1.1</citetitle>

588

</term>

589

590

<para>

591

TLS 1.1 is the protocol implemented by GnuTLS.

592

</para>

593

</listitem>

594

</varlistentry>

595

596

<term>

597

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

598

</term>

599

600

<para>

601

The data received from the server is binary encrypted

602

OpenPGP data.

603

</para>

604

</listitem>

605

</varlistentry>

606

607

<term>

608

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

609

Security</citetitle>

610

</term>

611

612

<para>

613

This is implemented by GnuTLS and used by this program so

614

that OpenPGP keys can be used.

615

</para>

616

</listitem>

617

</varlistentry>

618

</variablelist>

390

391

392

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

393

</para></listitem>

394

395

396

<ulink url="http://www.avahi.org/">Avahi</ulink>

397

</para></listitem>

398

399

400

<ulink

401

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

402

</para></listitem>

403

404

405

<ulink

406

url="http://www.gnupg.org/related_software/gpgme/">

407

GPGME</ulink>

408

</para></listitem>

409

410

411

<citation>RFC 4880: <citetitle>OpenPGP Message

412

Format</citetitle></citation>

413

</para></listitem>

414

415

416

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

417

Transport Layer Security</citetitle></citation>

418

</para></listitem>

419

420

421

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

422

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

423

Unicast Addresses</citation>

424

</para></listitem>

425

</itemizedlist>

619

426

</refsect1>

427

620

428

</refentry>

621

622

429

623

430

624

431

Older »