/mandos/trunk : revision 143

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-09-03 05:04:40 UTC
Revision ID: teddy@fukt.bsnet.se-20080903050440-7cwzxestx6pvdy1i

* Makefile (mandos.8): Add dependency on "overview.xml" and
                       "legalnotice.xml".
  (mandos-keygen.8): New target.
  (mandos-conf.5): Added dependency on "legalnotice.xml".
  (plugin-runner.8mandos): New target
  (plugins.d/password-request.8mandos): - '' -

* mandos-options.xml (priority): Make wording server/client neutral.

* plugins.d/password-request.c (main): Changed .arg fields of the argp
                                       options struct to be more
                                       consistent with the manual.

* plugins.d/password-request.xml (OVERVIEW): Moved to after "OPTIONS".
  (OPTIONS): Improved wording and names of replaceables.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2011-11-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

<sbr/>

100

<arg><option>--statedir

101

<replaceable>DIRECTORY</replaceable></option></arg>

102

</cmdsynopsis>

103

104

<command>&COMMANDNAME;</command>

116

100

<arg choice="plain"><option>--check</option></arg>

117

101

</cmdsynopsis>

118

102

</refsynopsisdiv>

119

103

120

104

121

105

<title>DESCRIPTION</title>

122

106

<para>

123

107

<command>&COMMANDNAME;</command> is a server daemon which

124

108

handles incoming request for passwords for a pre-defined list of

125

client host computers. For an introduction, see

126

<citerefentry><refentrytitle>intro</refentrytitle>

127

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

128

uses Zeroconf to announce itself on the local network, and uses

129

TLS to communicate securely with and to authenticate the

130

clients. The Mandos server uses IPv6 to allow Mandos clients to

131

use IPv6 link-local addresses, since the clients will probably

132

not have any other addresses configured (see <xref

133

linkend="overview"/>). Any authenticated client is then given

134

the stored pre-encrypted password for that specific client.

109

client host computers. The Mandos server uses Zeroconf to

110

announce itself on the local network, and uses TLS to

111

communicate securely with and to authenticate the clients. The

112

Mandos server uses IPv6 to allow Mandos clients to use IPv6

113

link-local addresses, since the clients will probably not have

114

any other addresses configured (see <xref linkend="overview"/>).

115

Any authenticated client is then given the stored pre-encrypted

116

password for that specific client.

135

117

</para>

136

118

</refsect1>

137

119

204

186

<xi:include href="mandos-options.xml" xpointer="debug"/>

205

187

</listitem>

206

188

</varlistentry>

207

208

209

<term><option>--debuglevel

210

<replaceable>LEVEL</replaceable></option></term>

211

212

<para>

213

Set the debugging log level.

214

<replaceable>LEVEL</replaceable> is a string, one of

215

<quote><literal>CRITICAL</literal></quote>,

216

<quote><literal>ERROR</literal></quote>,

217

<quote><literal>WARNING</literal></quote>,

218

<quote><literal>INFO</literal></quote>, or

219

<quote><literal>DEBUG</literal></quote>, in order of

220

increasing verbosity. The default level is

221

<quote><literal>WARNING</literal></quote>.

222

</para>

223

</listitem>

224

</varlistentry>

225

189

226

190

227

191

<term><option>--priority <replaceable>

228

192

PRIORITY</replaceable></option></term>

230

194

<xi:include href="mandos-options.xml" xpointer="priority"/>

231

195

</listitem>

232

196

</varlistentry>

233

197

234

198

235

199

<term><option>--servicename

236

200

239

203

xpointer="servicename"/>

240

204

</listitem>

241

205

</varlistentry>

242

206

243

207

244

208

<term><option>--configdir

245

209

<replaceable>DIRECTORY</replaceable></option></term>

254

218

</para>

255

219

</listitem>

256

220

</varlistentry>

257

221

258

222

259

223

<term><option>--version</option></term>

260

224

263

227

</para>

264

228

</listitem>

265

229

</varlistentry>

266

267

268

269

270

<xi:include href="mandos-options.xml" xpointer="dbus"/>

271

<para>

272

See also <xref linkend="dbus_interface"/>.

273

</para>

274

</listitem>

275

</varlistentry>

276

277

278

279

280

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--no-restore</option></term>

286

287

<xi:include href="mandos-options.xml" xpointer="restore"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--statedir

293

<replaceable>DIRECTORY</replaceable></option></term>

294

295

<xi:include href="mandos-options.xml" xpointer="statedir"/>

296

</listitem>

297

</varlistentry>

298

230

</variablelist>

299

231

</refsect1>

300

232

301

233

302

234

<title>OVERVIEW</title>

303

235

<xi:include href="overview.xml"/>

307

239

<acronym>RAM</acronym> disk environment.

308

240

</para>

309

241

</refsect1>

310

242

311

243

312

244

<title>NETWORK PROTOCOL</title>

313

245

<para>

365

297

</row>

366

298

</tbody></tgroup></table>

367

299

</refsect1>

368

300

369

301

370

302

<title>CHECKING</title>

371

303

<para>

372

304

The server will, by default, continually check that the clients

373

305

are still up. If a client has not been confirmed as being up

374

306

for some time, the client is assumed to be compromised and is no

375

longer eligible to receive the encrypted password. (Manual

376

intervention is required to re-enable a client.) The timeout,

377

extended timeout, checker program, and interval between checks

378

can be configured both globally and per client; see

379

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

380

<manvolnum>5</manvolnum></citerefentry>. A client successfully

381

receiving its password will also be treated as a successful

382

checker run.

383

</para>

384

</refsect1>

385

386

387

<title>APPROVAL</title>

388

<para>

389

The server can be configured to require manual approval for a

390

client before it is sent its secret. The delay to wait for such

391

approval and the default action (approve or deny) can be

392

configured both globally and per client; see <citerefentry>

307

longer eligible to receive the encrypted password. The timeout,

308

checker program, and interval between checks can be configured

309

both globally and per client; see <citerefentry>

393

310

<refentrytitle>mandos-clients.conf</refentrytitle>

394

<manvolnum>5</manvolnum></citerefentry>. By default all clients

395

will be approved immediately without delay.

396

</para>

397

<para>

398

This can be used to deny a client its secret if not manually

399

approved within a specified time. It can also be used to make

400

the server delay before giving a client its secret, allowing

401

optional manual denying of this specific client.

402

</para>

403

311

<manvolnum>5</manvolnum></citerefentry>.

312

</para>

404

313

</refsect1>

405

314

406

315

407

316

<title>LOGGING</title>

408

317

<para>

412

321

and also show them on the console.

413

322

</para>

414

323

</refsect1>

415

416

417

<title>D-BUS INTERFACE</title>

418

<para>

419

The server will by default provide a D-Bus system bus interface.

420

This interface will only be accessible by the root user or a

421

Mandos-specific user, if such a user exists. For documentation

422

of the D-Bus API, see the file <filename>DBUS-API</filename>.

423

</para>

424

</refsect1>

425

324

426

325

427

326

<title>EXIT STATUS</title>

428

327

<para>

430

329

critical error is encountered.

431

330

</para>

432

331

</refsect1>

433

332

434

333

435

334

<title>ENVIRONMENT</title>

436

335

450

349

</varlistentry>

451

350

</variablelist>

452

351

</refsect1>

453

454

352

353

455

354

<title>FILES</title>

456

355

<para>

457

356

Use the <option>--configdir</option> option to change where

480

379

</listitem>

481

380

</varlistentry>

482

381

483

<term><filename>/var/run/mandos.pid</filename></term>

484

485

<para>

486

The file containing the process id of the

487

<command>&COMMANDNAME;</command> process started last.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

<term><filename

493

class="directory">/var/lib/mandos</filename></term>

494

495

<para>

496

Directory where persistent state will be saved. Change

497

this with the <option>--statedir</option> option. See

498

also the <option>--no-restore</option> option.

382

<term><filename>/var/run/mandos/mandos.pid</filename></term>

383

384

<para>

385

The file containing the process id of

386

<command>&COMMANDNAME;</command>.

499

387

</para>

500

388

</listitem>

501

389

</varlistentry>

529

417

backtrace. This could be considered a feature.

530

418

</para>

531

419

<para>

420

Currently, if a client is declared <quote>invalid</quote> due to

421

having timed out, the server does not record this fact onto

422

permanent storage. This has some security implications, see

423

<xref linkend="CLIENTS"/>.

424

</para>

425

<para>

426

There is currently no way of querying the server of the current

427

status of clients, other than analyzing its <systemitem

428

class="service">syslog</systemitem> output.

429

</para>

430

<para>

532

431

There is no fine-grained control over logging and debug output.

533

432

</para>

534

433

<para>

535

434

Debug mode is conflated with running in the foreground.

536

435

</para>

537

436

<para>

538

This server does not check the expire time of clients’ OpenPGP

539

keys.

437

The console log messages does not show a timestamp.

540

438

</para>

541

439

</refsect1>

542

440

553

451

554

452

<para>

555

453

Run the server in debug mode, read configuration files from

556

the <filename class="directory">~/mandos</filename> directory,

557

and use the Zeroconf service name <quote>Test</quote> to not

558

collide with any other official Mandos server on this host:

454

the <filename>~/mandos</filename> directory, and use the

455

Zeroconf service name <quote>Test</quote> to not collide with

456

any other official Mandos server on this host:

559

457

</para>

560

458

<para>

561

459

577

475

</para>

578

476

</informalexample>

579

477

</refsect1>

580

478

581

479

582

480

<title>SECURITY</title>

583

481

584

482

<title>SERVER</title>

585

483

<para>

586

484

Running this <command>&COMMANDNAME;</command> server program

587

485

should not in itself present any security risk to the host

588

computer running it. The program switches to a non-root user

589

soon after startup.

486

computer running it. The program does not need any special

487

privileges to run, and is designed to run as a non-root user.

590

488

</para>

591

489

</refsect2>

592

490

593

491

<title>CLIENTS</title>

594

492

<para>

595

493

The server only gives out its stored data to clients which

602

500

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

603

501

<manvolnum>5</manvolnum></citerefentry>)

604

502

<emphasis>must</emphasis> be made non-readable by anyone

605

except the user starting the server (usually root).

503

except the user running the server.

606

504

</para>

607

505

<para>

608

506

As detailed in <xref linkend="checking"/>, the status of all

610

508

compromised if they are gone for too long.

611

509

</para>

612

510

<para>

511

If a client is compromised, its downtime should be duly noted

512

by the server which would therefore declare the client

513

invalid. But if the server was ever restarted, it would

514

re-read its client list from its configuration file and again

515

regard all clients therein as valid, and hence eligible to

516

receive their passwords. Therefore, be careful when

517

restarting servers if it is suspected that a client has, in

518

fact, been compromised by parties who may now be running a

519

fake Mandos client with the keys from the non-encrypted

520

initial <acronym>RAM</acronym> image of the client host. What

521

should be done in that case (if restarting the server program

522

really is necessary) is to stop the server program, edit the

523

configuration file to omit any suspect clients, and restart

524

the server program.

525

</para>

526

<para>

613

527

For more details on client-side security, see

614

<citerefentry><refentrytitle>mandos-client</refentrytitle>

528

<citerefentry><refentrytitle>password-request</refentrytitle>

615

529

<manvolnum>8mandos</manvolnum></citerefentry>.

616

530

</para>

617

531

</refsect2>

618

532

</refsect1>

619

533

620

534

621

535

622

536

<para>

623

<citerefentry><refentrytitle>intro</refentrytitle>

624

<manvolnum>8mandos</manvolnum></citerefentry>,

625

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

626

<manvolnum>5</manvolnum></citerefentry>,

627

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

628

<manvolnum>5</manvolnum></citerefentry>,

629

<citerefentry><refentrytitle>mandos-client</refentrytitle>

630

<manvolnum>8mandos</manvolnum></citerefentry>,

631

632

537

538

<refentrytitle>mandos-clients.conf</refentrytitle>

539

540

<refentrytitle>mandos.conf</refentrytitle>

541

542

<refentrytitle>password-request</refentrytitle>

543

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

544

545

</citerefentry>

633

546

</para>

634

547

635

548

Older »