/mandos/trunk : revision 142

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-09-02 17:42:53 UTC
Revision ID: teddy@fukt.bsnet.se-20080902174253-p3wxrq7z6ccnv7fs

* plugins.d/password-request.c (main): Change default GnuTLS priority
                                       string to
                             "SECURE256":!CTYPE-X.509:+CTYPE-OPENPGP".

* plugins.d/password-request.xml (DESCRIPTION): Improve wording.
  (PURPOSE, OVERVIEW): New sections.
  (OPTIONS): Improved wording.
  (EXIT STATUS): Add text.
  (ENVIRONMENT): Commented out.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2014-03-05">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for <application>Mandos</application>

Client for mandos

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

</arg>

<sbr/>

100

<arg>

101

<option>--delay <replaceable>SECONDS</replaceable></option>

102

</arg>

103

<sbr/>

104

<arg>

105

<option>--retry <replaceable>SECONDS</replaceable></option>

106

</arg>

107

<sbr/>

108

<arg>

109

<option>--network-hook-dir

110

111

</arg>

112

<sbr/>

113

<arg>

114

101

<option>--debug</option>

115

102

</arg>

116

103

</cmdsynopsis>

133

120

</group>

134

121

</cmdsynopsis>

135

122

</refsynopsisdiv>

136

123

137

124

138

125

<title>DESCRIPTION</title>

139

126

<para>

140

127

<command>&COMMANDNAME;</command> is a client program that

141

128

communicates with <citerefentry><refentrytitle

142

129

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

143

to get a password. In slightly more detail, this client program

144

brings up network interfaces, uses the interfaces’ IPv6

145

link-local addresses to get network connectivity, uses Zeroconf

146

to find servers on the local network, and communicates with

147

servers using TLS with an OpenPGP key to ensure authenticity and

148

confidentiality. This client program keeps running, trying all

149

servers on the network, until it receives a satisfactory reply

150

or a TERM signal. After all servers have been tried, all

151

servers are periodically retried. If no servers are found it

152

will wait indefinitely for new servers to appear.

153

</para>

154

<para>

155

The network interfaces are selected like this: If any interfaces

156

are specified using the <option>--interface</option> option,

157

those interface are used. Otherwise,

158

<command>&COMMANDNAME;</command> will use all interfaces that

159

are not loopback interfaces, are not point-to-point interfaces,

160

are capable of broadcasting and do not have the NOARP flag (see

161

<citerefentry><refentrytitle>netdevice</refentrytitle>

162

<manvolnum>7</manvolnum></citerefentry>). (If the

163

<option>--connect</option> option is used, point-to-point

164

interfaces and non-broadcast interfaces are accepted.) If any

165

used interfaces are not up and running, they are first taken up

166

(and later taken down again on program exit).

167

</para>

168

<para>

169

Before network interfaces are selected, all <quote>network

170

hooks</quote> are run; see <xref linkend="network-hooks"/>.

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find the server, and TLS with

132

an OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply.

171

135

</para>

172

136

<para>

173

137

This program is not meant to be run directly; it is really meant

174

138

to run as a plugin of the <application>Mandos</application>

175

139

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

176

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

177

initial <acronym>RAM</acronym> disk environment because it is

178

specified as a <quote>keyscript</quote> in the <citerefentry>

179

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

180

</citerefentry> file.

140

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn

141

runs as a <quote>keyscript</quote> specified in the

142

<citerefentry><refentrytitle>crypttab</refentrytitle>

143

<manvolnum>5</manvolnum></citerefentry> file.

181

144

</para>

182

145

</refsect1>

183

146

191

154

</para>

192

155

</refsect1>

193

156

157

158

<title>OVERVIEW</title>

159

<xi:include href="overview.xml"/>

160

<para>

161

This program is the client part. It is a plugin started by

162

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

164

an initial <acronym>RAM</acronym> disk environment.

165

</para>

166

<para>

167

This program could, theoretically, be used as a keyscript in

168

<filename>/etc/crypttab</filename>, but it would then be

169

impossible to enter the encrypted root disk password at the

170

console, since this program does not read from the console at

171

all. This is why a separate plugin does that, which will be run

172

in parallell to this one.

173

</para>

174

</refsect1>

175

194

176

195

177

<title>OPTIONS</title>

196

178

<para>

206

188

207

189

208

190

<term><option>--connect=<replaceable

209

>ADDRESS</replaceable><literal>:</literal><replaceable

191

>IPADDR</replaceable><literal>:</literal><replaceable

210

192

>PORT</replaceable></option></term>

211

193

<term><option>-c

212

<replaceable>ADDRESS</replaceable><literal>:</literal

194

<replaceable>IPADDR</replaceable><literal>:</literal

213

195

><replaceable>PORT</replaceable></option></term>

214

196

215

197

<para>

220

202

assumed to separate the address from the port number.

221

203

</para>

222

204

<para>

223

Normally, Zeroconf would be used to locate Mandos servers,

224

in which case this option would only be used when testing

225

and debugging.

205

This option is normally only useful for debugging.

226

206

</para>

227

207

</listitem>

228

208

</varlistentry>

229

209

230

210

231

<term><option>--interface=<replaceable

232

>NAME</replaceable><arg rep='repeat'>,<replaceable

233

>NAME</replaceable></arg></option></term>

211

<term><option>--keydir=<replaceable

212

>DIRECTORY</replaceable></option></term>

213

<term><option>-d

214

<replaceable>DIRECTORY</replaceable></option></term>

215

216

<para>

217

Directory to read the OpenPGP key files

218

<filename>pubkey.txt</filename> and

219

<filename>seckey.txt</filename> from. The default is

220

<filename>/conf/conf.d/mandos</filename> (in the initial

221

<acronym>RAM</acronym> disk environment).

222

</para>

223

</listitem>

224

</varlistentry>

225

226

227

<term><option>--interface=

228

234

229

<term><option>-i

235

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

236

>NAME</replaceable></arg></option></term>

230

237

231

238

232

<para>

239

Comma separated list of network interfaces that will be

240

brought up and scanned for Mandos servers to connect to.

241

The default is the empty string, which will automatically

242

use all appropriate interfaces.

243

</para>

244

<para>

245

If the <option>--connect</option> option is used, and

246

exactly one interface name is specified (except

247

<quote><literal>none</literal></quote>), this specifies

248

the interface to use to connect to the address given.

249

</para>

250

<para>

251

Note that since this program will normally run in the

252

initial RAM disk environment, the interface must be an

253

interface which exists at that stage. Thus, the interface

254

can normally not be a pseudo-interface such as

255

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

256

will not exist until much later in the boot process, and

257

can not be used by this program, unless created by a

258

<quote>network hook</quote> — see <xref

259

linkend="network-hooks"/>.

260

</para>

261

<para>

262

<replaceable>NAME</replaceable> can be the string

263

<quote><literal>none</literal></quote>; this will make

264

<command>&COMMANDNAME;</command> only bring up interfaces

265

specified <emphasis>before</emphasis> this string. This

266

is not recommended, and only meant for advanced users.

233

Network interface that will be brought up and scanned for

234

Mandos servers to connect to. The default it

235

<quote><literal>eth0</literal></quote>.

267

236

</para>

268

237

</listitem>

269

238

</varlistentry>

275

244

276

245

277

246

<para>

278

OpenPGP public key file name. The default name is

279

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

280

></quote>.

247

OpenPGP public key file name. This will be combined with

248

the directory from the <option>--keydir</option> option to

249

form an absolute file name. The default name is

250

<quote><literal>pubkey.txt</literal></quote>.

281

251

</para>

282

252

</listitem>

283

253

</varlistentry>

284

254

285

255

286

256

<term><option>--seckey=<replaceable

287

257

>FILE</replaceable></option></term>

289

259

290

260

291

261

<para>

292

OpenPGP secret key file name. The default name is

293

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

294

></quote>.

262

OpenPGP secret key file name. This will be combined with

263

the directory from the <option>--keydir</option> option to

264

form an absolute file name. The default name is

265

<quote><literal>seckey.txt</literal></quote>.

295

266

</para>

296

267

</listitem>

297

268

</varlistentry>

300

271

<term><option>--priority=<replaceable

301

272

>STRING</replaceable></option></term>

302

273

303

<xi:include href="../mandos-options.xml"

304

xpointer="priority"/>

274

<xi:include href="mandos-options.xml" xpointer="priority"/>

305

275

</listitem>

306

276

</varlistentry>

307

277

308

278

309

279

<term><option>--dh-bits=<replaceable

310

280

>BITS</replaceable></option></term>

315

285

</para>

316

286

</listitem>

317

287

</varlistentry>

318

319

320

<term><option>--delay=<replaceable

321

>SECONDS</replaceable></option></term>

322

323

<para>

324

After bringing a network interface up, the program waits

325

for the interface to arrive in a <quote>running</quote>

326

state before proceeding. During this time, the kernel log

327

level will be lowered to reduce clutter on the system

328

console, alleviating any other plugins which might be

329

using the system console. This option sets the upper

330

limit of seconds to wait. The default is 2.5 seconds.

331

</para>

332

</listitem>

333

</varlistentry>

334

335

336

<term><option>--retry=<replaceable

337

>SECONDS</replaceable></option></term>

338

339

<para>

340

All Mandos servers are tried repeatedly until a password

341

is received. This value specifies, in seconds, how long

342

between each successive try <emphasis>for the same

343

server</emphasis>. The default is 10 seconds.

344

</para>

345

</listitem>

346

</varlistentry>

347

348

349

<term><option>--network-hook-dir=<replaceable

350

>DIR</replaceable></option></term>

351

352

<para>

353

Network hook directory. The default directory is

354

<quote><filename class="directory"

355

>/lib/mandos/network-hooks.d</filename></quote>.

356

</para>

357

</listitem>

358

</varlistentry>

359

288

360

289

361

290

<term><option>--debug</option></term>

391

320

</para>

392

321

</listitem>

393

322

</varlistentry>

394

323

395

324

396

325

<term><option>--version</option></term>

397

326

403

332

</varlistentry>

404

333

</variablelist>

405

334

</refsect1>

406

407

408

<title>OVERVIEW</title>

409

<xi:include href="../overview.xml"/>

410

<para>

411

This program is the client part. It is a plugin started by

412

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

413

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

414

an initial <acronym>RAM</acronym> disk environment.

415

</para>

416

<para>

417

This program could, theoretically, be used as a keyscript in

418

<filename>/etc/crypttab</filename>, but it would then be

419

impossible to enter a password for the encrypted root disk at

420

the console, since this program does not read from the console

421

at all. This is why a separate plugin runner (<citerefentry>

422

<refentrytitle>plugin-runner</refentrytitle>

423

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

424

both this program and others in in parallel,

425

<emphasis>one</emphasis> of which (<citerefentry>

426

<refentrytitle>password-prompt</refentrytitle>

427

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

428

passwords on the system console.

429

</para>

430

</refsect1>

431

335

432

336

433

337

<title>EXIT STATUS</title>

434

338

<para>

436

340

server could be found and the password received from it could be

437

341

successfully decrypted and output on standard output. The

438

342

program will exit with a non-zero exit status only if a critical

439

error occurs. Otherwise, it will forever connect to any

440

discovered <application>Mandos</application> servers, trying to

441

get a decryptable password and print it.

442

</para>

443

</refsect1>

444

445

446

<title>ENVIRONMENT</title>

447

<para>

448

This program does not use any environment variables, not even

449

the ones provided by <citerefentry><refentrytitle

450

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

451

</citerefentry>.

452

</para>

453

</refsect1>

454

455

456

<title>NETWORK HOOKS</title>

457

<para>

458

If a network interface like a bridge or tunnel is required to

459

find a Mandos server, this requires the interface to be up and

460

running before <command>&COMMANDNAME;</command> starts looking

461

for Mandos servers. This can be accomplished by creating a

462

<quote>network hook</quote> program, and placing it in a special

463

directory.

464

</para>

465

<para>

466

Before the network is used (and again before program exit), any

467

runnable programs found in the network hook directory are run

468

with the argument <quote><literal>start</literal></quote> or

469

<quote><literal>stop</literal></quote>. This should bring up or

470

down, respectively, any network interface which

471

<command>&COMMANDNAME;</command> should use.

472

</para>

473

474

<title>REQUIREMENTS</title>

475

<para>

476

A network hook must be an executable file, and its name must

477

consist entirely of upper and lower case letters, digits,

478

underscores, periods, and hyphens.

479

</para>

480

<para>

481

A network hook will receive one argument, which can be one of

482

the following:

483

</para>

484

485

486

<term><literal>start</literal></term>

487

488

<para>

489

This should make the network hook create (if necessary)

490

and bring up a network interface.

491

</para>

492

</listitem>

493

</varlistentry>

494

495

496

497

<para>

498

This should make the network hook take down a network

499

interface, and delete it if it did not exist previously.

500

</para>

501

</listitem>

502

</varlistentry>

503

504

<term><literal>files</literal></term>

505

506

<para>

507

This should make the network hook print, <emphasis>one

508

file per line</emphasis>, all the files needed for it to

509

run. (These files will be copied into the initial RAM

510

filesystem.) Typical use is for a network hook which is

511

a shell script to print its needed binaries.

512

</para>

513

<para>

514

It is not necessary to print any non-executable files

515

already in the network hook directory, these will be

516

copied implicitly if they otherwise satisfy the name

517

requirements.

518

</para>

519

</listitem>

520

</varlistentry>

521

522

<term><literal>modules</literal></term>

523

524

<para>

525

This should make the network hook print, <emphasis>on

526

separate lines</emphasis>, all the kernel modules needed

527

for it to run. (These modules will be copied into the

528

initial RAM filesystem.) For instance, a tunnel

529

interface needs the

530

<quote><literal>tun</literal></quote> module.

531

</para>

532

</listitem>

533

</varlistentry>

534

</variablelist>

535

<para>

536

The network hook will be provided with a number of environment

537

variables:

538

</para>

539

540

541

<term><envar>MANDOSNETHOOKDIR</envar></term>

542

543

<para>

544

The network hook directory, specified to

545

<command>&COMMANDNAME;</command> by the

546

<option>--network-hook-dir</option> option. Note: this

547

should <emphasis>always</emphasis> be used by the

548

network hook to refer to itself or any files in the hook

549

directory it may require.

550

</para>

551

</listitem>

552

</varlistentry>

553

554

<term><envar>DEVICE</envar></term>

555

556

<para>

557

The network interfaces, as specified to

558

<command>&COMMANDNAME;</command> by the

559

<option>--interface</option> option, combined to one

560

string and separated by commas. If this is set, and

561

does not contain the interface a hook will bring up,

562

there is no reason for a hook to continue.

563

</para>

564

</listitem>

565

</varlistentry>

566

567

568

569

<para>

570

This will be the same as the first argument;

571

i.e. <quote><literal>start</literal></quote>,

572

<quote><literal>stop</literal></quote>,

573

<quote><literal>files</literal></quote>, or

574

<quote><literal>modules</literal></quote>.

575

</para>

576

</listitem>

577

</varlistentry>

578

579

<term><envar>VERBOSITY</envar></term>

580

581

<para>

582

This will be the <quote><literal>1</literal></quote> if

583

the <option>--debug</option> option is passed to

584

<command>&COMMANDNAME;</command>, otherwise

585

<quote><literal>0</literal></quote>.

586

</para>

587

</listitem>

588

</varlistentry>

589

590

<term><envar>DELAY</envar></term>

591

592

<para>

593

This will be the same as the <option>--delay</option>

594

option passed to <command>&COMMANDNAME;</command>. Is

595

only set if <envar>MODE</envar> is

596

<quote><literal>start</literal></quote> or

597

<quote><literal>stop</literal></quote>.

598

</para>

599

</listitem>

600

</varlistentry>

601

602

<term><envar>CONNECT</envar></term>

603

604

<para>

605

This will be the same as the <option>--connect</option>

606

option passed to <command>&COMMANDNAME;</command>. Is

607

only set if <option>--connect</option> is passed and

608

<envar>MODE</envar> is

609

<quote><literal>start</literal></quote> or

610

<quote><literal>stop</literal></quote>.

611

</para>

612

</listitem>

613

</varlistentry>

614

</variablelist>

615

<para>

616

A hook may not read from standard input, and should be

617

restrictive in printing to standard output or standard error

618

unless <varname>VERBOSITY</varname> is

619

<quote><literal>1</literal></quote>.

620

</para>

621

</refsect2>

622

</refsect1>

623

624

625

<title>FILES</title>

626

627

628

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

629

></term>

630

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

631

></term>

632

633

<para>

634

OpenPGP public and private key files, in <quote>ASCII

635

Armor</quote> format. These are the default file names,

636

they can be changed with the <option>--pubkey</option> and

637

<option>--seckey</option> options.

638

</para>

639

</listitem>

640

</varlistentry>

641

642

<term><filename

643

class="directory">/lib/mandos/network-hooks.d</filename></term>

644

645

<para>

646

Directory where network hooks are located. Change this

647

with the <option>--network-hook-dir</option> option. See

648

<xref linkend="network-hooks"/>.

649

</para>

650

</listitem>

651

</varlistentry>

652

</variablelist>

653

</refsect1>

654

655

656

343

error occurs. Otherwise, it will forever connect to new

344

<application>Mandosservers</application> servers as they appear,

345

trying to get a decryptable password.

346

</para>

347

</refsect1>

348

349

350

657

351

352

658

353

659

354

660

355

356

357

<title>FILES</title>

358

<para>

359

</para>

360

</refsect1>

361

362

363

364

<para>

365

</para>

366

</refsect1>

367

661

368

662

369

<title>EXAMPLE</title>

663

370

<para>

664

Note that normally, command line options will not be given

665

directly, but via options for the Mandos <citerefentry

666

><refentrytitle>plugin-runner</refentrytitle>

667

<manvolnum>8mandos</manvolnum></citerefentry>.

668

371

</para>

669

670

<para>

671

Normal invocation needs no options, if the network interfaces

672

can be automatically determined:

673

</para>

674

<para>

675

<userinput>&COMMANDNAME;</userinput>

676

</para>

677

</informalexample>

678

679

<para>

680

Search for Mandos servers (and connect to them) using one

681

specific interface:

682

</para>

683

<para>

684

685

<userinput>&COMMANDNAME; --interface eth1</userinput>

686

</para>

687

</informalexample>

688

689

<para>

690

Run in debug mode, and use a custom key:

691

</para>

692

<para>

693

694

695

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

696

697

</para>

698

</informalexample>

699

700

<para>

701

Run in debug mode, with a custom key, and do not use Zeroconf

702

to locate a server; connect directly to the IPv6 link-local

703

address <quote><systemitem class="ipaddress"

704

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

705

using interface eth2:

706

</para>

707

<para>

708

709

710

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

711

712

</para>

713

</informalexample>

714

372

</refsect1>

715

373

716

374

717

375

<title>SECURITY</title>

718

376

<para>

719

This program is set-uid to root, but will switch back to the

720

original (and presumably non-privileged) user and group after

721

bringing up the network interface.

722

</para>

723

<para>

724

To use this program for its intended purpose (see <xref

725

linkend="purpose"/>), the password for the root file system will

726

have to be given out to be stored in a server computer, after

727

having been encrypted using an OpenPGP key. This encrypted data

728

which will be stored in a server can only be decrypted by the

729

OpenPGP key, and the data will only be given out to those

730

clients who can prove they actually have that key. This key,

731

however, is stored unencrypted on the client side in its initial

732

<acronym>RAM</acronym> disk image file system. This is normally

733

readable by all, but this is normally fixed during installation

734

of this program; file permissions are set so that no-one is able

735

to read that file.

736

</para>

737

<para>

738

The only remaining weak point is that someone with physical

739

access to the client hard drive might turn off the client

740

computer, read the OpenPGP keys directly from the hard drive,

741

and communicate with the server. To safeguard against this, the

742

server is supposed to notice the client disappearing and stop

743

giving out the encrypted data. Therefore, it is important to

744

set the timeout and checker interval values tightly on the

745

server. See <citerefentry><refentrytitle

746

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

747

</para>

748

<para>

749

It will also help if the checker program on the server is

750

configured to request something from the client which can not be

751

spoofed by someone else on the network, unlike unencrypted

752

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

753

</para>

754

<para>

755

<emphasis>Note</emphasis>: This makes it completely insecure to

756

have <application >Mandos</application> clients which dual-boot

757

to another operating system which is <emphasis>not</emphasis>

758

trusted to keep the initial <acronym>RAM</acronym> disk image

759

confidential.

760

377

</para>

761

378

</refsect1>

762

379

763

380

764

381

765

382

<para>

766

<citerefentry><refentrytitle>intro</refentrytitle>

767

<manvolnum>8mandos</manvolnum></citerefentry>,

768

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

769

<manvolnum>8</manvolnum></citerefentry>,

770

<citerefentry><refentrytitle>crypttab</refentrytitle>

771

<manvolnum>5</manvolnum></citerefentry>,

772

383

<citerefentry><refentrytitle>mandos</refentrytitle>

773

384

<manvolnum>8</manvolnum></citerefentry>,

774

385

<citerefentry><refentrytitle>password-prompt</refentrytitle>

776

387

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

777

388

<manvolnum>8mandos</manvolnum></citerefentry>

778

389

</para>

779

780

781

<term>

782

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

783

</term>

784

785

<para>

786

Zeroconf is the network protocol standard used for finding

787

Mandos servers on the local network.

788

</para>

789

</listitem>

790

</varlistentry>

791

792

<term>

793

<ulink url="http://www.avahi.org/">Avahi</ulink>

794

</term>

795

796

<para>

797

Avahi is the library this program calls to find Zeroconf

798

services.

799

</para>

800

</listitem>

801

</varlistentry>

802

803

<term>

804

<ulink url="http://www.gnu.org/software/gnutls/"

805

>GnuTLS</ulink>

806

</term>

807

808

<para>

809

GnuTLS is the library this client uses to implement TLS for

810

communicating securely with the server, and at the same time

811

send the public OpenPGP key to the server.

812

</para>

813

</listitem>

814

</varlistentry>

815

816

<term>

817

<ulink url="http://www.gnupg.org/related_software/gpgme/"

818

>GPGME</ulink>

819

</term>

820

821

<para>

822

GPGME is the library used to decrypt the OpenPGP data sent

823

by the server.

824

</para>

825

</listitem>

826

</varlistentry>

827

828

<term>

829

RFC 4291: <citetitle>IP Version 6 Addressing

830

Architecture</citetitle>

831

</term>

832

833

834

835

<term>Section 2.2: <citetitle>Text Representation of

836

Addresses</citetitle></term>

837

838

</varlistentry>

839

840

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

841

Address</citetitle></term>

842

843

</varlistentry>

844

845

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

846

Addresses</citetitle></term>

847

848

<para>

849

This client uses IPv6 link-local addresses, which are

850

immediately usable since a link-local addresses is

851

automatically assigned to a network interface when it

852

is brought up.

853

</para>

854

</listitem>

855

</varlistentry>

856

</variablelist>

857

</listitem>

858

</varlistentry>

859

860

<term>

861

RFC 4346: <citetitle>The Transport Layer Security (TLS)

862

Protocol Version 1.1</citetitle>

863

</term>

864

865

<para>

866

TLS 1.1 is the protocol implemented by GnuTLS.

867

</para>

868

</listitem>

869

</varlistentry>

870

871

<term>

872

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

873

</term>

874

875

<para>

876

The data received from the server is binary encrypted

877

OpenPGP data.

878

</para>

879

</listitem>

880

</varlistentry>

881

882

<term>

883

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

884

Security</citetitle>

885

</term>

886

887

<para>

888

This is implemented by GnuTLS and used by this program so

889

that OpenPGP keys can be used.

890

</para>

891

</listitem>

892

</varlistentry>

893

</variablelist>

390

391

392

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

393

</para></listitem>

394

395

396

<ulink url="http://www.avahi.org/">Avahi</ulink>

397

</para></listitem>

398

399

400

<ulink

401

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

402

</para></listitem>

403

404

405

<ulink

406

url="http://www.gnupg.org/related_software/gpgme/">

407

GPGME</ulink>

408

</para></listitem>

409

410

411

<citation>RFC 4880: <citetitle>OpenPGP Message

412

Format</citetitle></citation>

413

</para></listitem>

414

415

416

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

417

Transport Layer Security</citetitle></citation>

418

</para></listitem>

419

420

421

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

422

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

423

Unicast Addresses</citation>

424

</para></listitem>

425

</itemizedlist>

894

426

</refsect1>

427

895

428

</refentry>

896

897

429

898

430

899

431

Older »