/mandos/trunk : revision 143

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-09-03 05:04:40 UTC
Revision ID: teddy@fukt.bsnet.se-20080903050440-7cwzxestx6pvdy1i

* Makefile (mandos.8): Add dependency on "overview.xml" and
                       "legalnotice.xml".
  (mandos-keygen.8): New target.
  (mandos-conf.5): Added dependency on "legalnotice.xml".
  (plugin-runner.8mandos): New target
  (plugins.d/password-request.8mandos): - '' -

* mandos-options.xml (priority): Make wording server/client neutral.

* plugins.d/password-request.c (main): Changed .arg fields of the argp
                                       options struct to be more
                                       consistent with the manual.

* plugins.d/password-request.xml (OVERVIEW): Moved to after "OPTIONS".
  (OPTIONS): Improved wording and names of replaceables.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2016-03-05">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for <application>Mandos</application>

Client for mandos

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

102

</arg>

103

<sbr/>

104

100

<arg>

105

<option>--dh-params <replaceable>FILE</replaceable></option>

106

</arg>

107

<sbr/>

108

<arg>

109

<option>--delay <replaceable>SECONDS</replaceable></option>

110

</arg>

111

<sbr/>

112

<arg>

113

<option>--retry <replaceable>SECONDS</replaceable></option>

114

</arg>

115

<sbr/>

116

<arg>

117

<option>--network-hook-dir

118

119

</arg>

120

<sbr/>

121

<arg>

122

101

<option>--debug</option>

123

102

</arg>

124

103

</cmdsynopsis>

141

120

</group>

142

121

</cmdsynopsis>

143

122

</refsynopsisdiv>

144

123

145

124

146

125

<title>DESCRIPTION</title>

147

126

<para>

148

127

<command>&COMMANDNAME;</command> is a client program that

149

128

communicates with <citerefentry><refentrytitle

150

129

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

151

to get a password. In slightly more detail, this client program

152

brings up network interfaces, uses the interfaces’ IPv6

153

link-local addresses to get network connectivity, uses Zeroconf

154

to find servers on the local network, and communicates with

155

servers using TLS with an OpenPGP key to ensure authenticity and

156

confidentiality. This client program keeps running, trying all

157

servers on the network, until it receives a satisfactory reply

158

or a TERM signal. After all servers have been tried, all

159

servers are periodically retried. If no servers are found it

160

will wait indefinitely for new servers to appear.

161

</para>

162

<para>

163

The network interfaces are selected like this: If any interfaces

164

are specified using the <option>--interface</option> option,

165

those interface are used. Otherwise,

166

<command>&COMMANDNAME;</command> will use all interfaces that

167

are not loopback interfaces, are not point-to-point interfaces,

168

are capable of broadcasting and do not have the NOARP flag (see

169

<citerefentry><refentrytitle>netdevice</refentrytitle>

170

<manvolnum>7</manvolnum></citerefentry>). (If the

171

<option>--connect</option> option is used, point-to-point

172

interfaces and non-broadcast interfaces are accepted.) If any

173

used interfaces are not up and running, they are first taken up

174

(and later taken down again on program exit).

175

</para>

176

<para>

177

Before network interfaces are selected, all <quote>network

178

hooks</quote> are run; see <xref linkend="network-hooks"/>.

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find the server, and TLS with

132

an OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply.

179

135

</para>

180

136

<para>

181

137

This program is not meant to be run directly; it is really meant

228

184

assumed to separate the address from the port number.

229

185

</para>

230

186

<para>

231

Normally, Zeroconf would be used to locate Mandos servers,

232

in which case this option would only be used when testing

233

and debugging.

187

This option is normally only useful for testing and

188

debugging.

234

189

</para>

235

190

</listitem>

236

191

</varlistentry>

237

192

238

193

239

<term><option>--interface=<replaceable

240

>NAME</replaceable><arg rep='repeat'>,<replaceable

241

>NAME</replaceable></arg></option></term>

194

<term><option>--keydir=<replaceable

195

>DIRECTORY</replaceable></option></term>

196

<term><option>-d

197

<replaceable>DIRECTORY</replaceable></option></term>

198

199

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

205

</para>

206

</listitem>

207

</varlistentry>

208

209

210

<term><option>--interface=

211

242

212

<term><option>-i

243

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

244

>NAME</replaceable></arg></option></term>

213

245

214

246

215

<para>

247

Comma separated list of network interfaces that will be

248

brought up and scanned for Mandos servers to connect to.

249

The default is the empty string, which will automatically

250

use all appropriate interfaces.

251

</para>

252

<para>

253

If the <option>--connect</option> option is used, and

254

exactly one interface name is specified (except

255

<quote><literal>none</literal></quote>), this specifies

256

the interface to use to connect to the address given.

257

</para>

258

<para>

259

Note that since this program will normally run in the

260

initial RAM disk environment, the interface must be an

261

interface which exists at that stage. Thus, the interface

262

can normally not be a pseudo-interface such as

263

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

264

will not exist until much later in the boot process, and

265

can not be used by this program, unless created by a

266

<quote>network hook</quote> — see <xref

267

linkend="network-hooks"/>.

268

</para>

269

<para>

270

<replaceable>NAME</replaceable> can be the string

271

<quote><literal>none</literal></quote>; this will make

272

<command>&COMMANDNAME;</command> only bring up interfaces

273

specified <emphasis>before</emphasis> this string. This

274

is not recommended, and only meant for advanced users.

216

Network interface that will be brought up and scanned for

217

Mandos servers to connect to. The default it

218

<quote><literal>eth0</literal></quote>.

275

219

</para>

276

220

</listitem>

277

221

</varlistentry>

283

227

284

228

285

229

<para>

286

OpenPGP public key file name. The default name is

287

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

288

></quote>.

230

OpenPGP public key file base name. This will be combined

231

with the directory from the <option>--keydir</option>

232

option to form an absolute file name. The default name is

233

<quote><literal>pubkey.txt</literal></quote>.

289

234

</para>

290

235

</listitem>

291

236

</varlistentry>

292

237

293

238

294

239

<term><option>--seckey=<replaceable

295

240

>FILE</replaceable></option></term>

297

242

298

243

299

244

<para>

300

OpenPGP secret key file name. The default name is

301

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

302

></quote>.

245

OpenPGP secret key file base name. This will be combined

246

with the directory from the <option>--keydir</option>

247

option to form an absolute file name. The default name is

248

<quote><literal>seckey.txt</literal></quote>.

303

249

</para>

304

250

</listitem>

305

251

</varlistentry>

312

258

xpointer="priority"/>

313

259

</listitem>

314

260

</varlistentry>

315

261

316

262

317

263

<term><option>--dh-bits=<replaceable

318

264

>BITS</replaceable></option></term>

319

265

320

266

<para>

321

267

Sets the number of bits to use for the prime number in the

322

TLS Diffie-Hellman key exchange. The default value is

323

selected automatically based on the OpenPGP key. Note

324

that if the <option>--dh-params</option> option is used,

325

the values from that file will be used instead.

326

</para>

327

</listitem>

328

</varlistentry>

329

330

331

<term><option>--dh-params=<replaceable

332

>FILE</replaceable></option></term>

333

334

<para>

335

Specifies a PEM-encoded PKCS#3 file to read the parameters

336

needed by the TLS Diffie-Hellman key exchange from. If

337

this option is not given, or if the file for some reason

338

could not be used, the parameters will be generated on

339

startup, which will take some time and processing power.

340

Those using servers running under time, power or processor

341

constraints may want to generate such a file in advance

342

and use this option.

343

</para>

344

</listitem>

345

</varlistentry>

346

347

348

<term><option>--delay=<replaceable

349

>SECONDS</replaceable></option></term>

350

351

<para>

352

After bringing a network interface up, the program waits

353

for the interface to arrive in a <quote>running</quote>

354

state before proceeding. During this time, the kernel log

355

level will be lowered to reduce clutter on the system

356

console, alleviating any other plugins which might be

357

using the system console. This option sets the upper

358

limit of seconds to wait. The default is 2.5 seconds.

359

</para>

360

</listitem>

361

</varlistentry>

362

363

364

<term><option>--retry=<replaceable

365

>SECONDS</replaceable></option></term>

366

367

<para>

368

All Mandos servers are tried repeatedly until a password

369

is received. This value specifies, in seconds, how long

370

between each successive try <emphasis>for the same

371

server</emphasis>. The default is 10 seconds.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--network-hook-dir=<replaceable

378

>DIR</replaceable></option></term>

379

380

<para>

381

Network hook directory. The default directory is

382

<quote><filename class="directory"

383

>/lib/mandos/network-hooks.d</filename></quote>.

268

TLS Diffie-Hellman key exchange. Default is 1024.

384

269

</para>

385

270

</listitem>

386

271

</varlistentry>

419

304

</para>

420

305

</listitem>

421

306

</varlistentry>

422

307

423

308

424

309

<term><option>--version</option></term>

425

310

431

316

</varlistentry>

432

317

</variablelist>

433

318

</refsect1>

434

319

435

320

436

321

<title>OVERVIEW</title>

437

322

<xi:include href="../overview.xml"/>

444

329

<para>

445

330

This program could, theoretically, be used as a keyscript in

446

331

<filename>/etc/crypttab</filename>, but it would then be

447

impossible to enter a password for the encrypted root disk at

448

the console, since this program does not read from the console

449

at all. This is why a separate plugin runner (<citerefentry>

450

<refentrytitle>plugin-runner</refentrytitle>

451

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

452

both this program and others in in parallel,

453

<emphasis>one</emphasis> of which (<citerefentry>

454

<refentrytitle>password-prompt</refentrytitle>

455

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

456

passwords on the system console.

332

impossible to enter the encrypted root disk password at the

333

console, since this program does not read from the console at

334

all. This is why a separate plugin does that, which will be run

335

in parallell to this one.

457

336

</para>

458

337

</refsect1>

459

338

464

343

server could be found and the password received from it could be

465

344

successfully decrypted and output on standard output. The

466

345

program will exit with a non-zero exit status only if a critical

467

error occurs. Otherwise, it will forever connect to any

468

discovered <application>Mandos</application> servers, trying to

469

get a decryptable password and print it.

346

error occurs. Otherwise, it will forever connect to new

347

<application>Mandosservers</application> servers as they appear,

348

trying to get a decryptable password.

470

349

</para>

471

350

</refsect1>

472

351

473

352

474

353

<title>ENVIRONMENT</title>

475

476

477

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

478

479

<para>

480

This environment variable will be assumed to contain the

481

directory containing any helper executables. The use and

482

nature of these helper executables, if any, is

483

purposefully not documented.

484

</para>

485

</listitem>

486

</varlistentry>

487

</variablelist>

488

354

<para>

489

This program does not use any other environment variables, not

490

even the ones provided by <citerefentry><refentrytitle

355

This program does not use any environment variables, not even

356

the ones provided by <citerefentry><refentrytitle

491

357

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

492

358

</citerefentry>.

493

359

</para>

494

360

</refsect1>

495

361

496

497

<title>NETWORK HOOKS</title>

498

<para>

499

If a network interface like a bridge or tunnel is required to

500

find a Mandos server, this requires the interface to be up and

501

running before <command>&COMMANDNAME;</command> starts looking

502

for Mandos servers. This can be accomplished by creating a

503

<quote>network hook</quote> program, and placing it in a special

504

directory.

505

</para>

506

<para>

507

Before the network is used (and again before program exit), any

508

runnable programs found in the network hook directory are run

509

with the argument <quote><literal>start</literal></quote> or

510

<quote><literal>stop</literal></quote>. This should bring up or

511

down, respectively, any network interface which

512

<command>&COMMANDNAME;</command> should use.

513

</para>

514

515

<title>REQUIREMENTS</title>

516

<para>

517

A network hook must be an executable file, and its name must

518

consist entirely of upper and lower case letters, digits,

519

underscores, periods, and hyphens.

520

</para>

521

<para>

522

A network hook will receive one argument, which can be one of

523

the following:

524

</para>

525

526

527

<term><literal>start</literal></term>

528

529

<para>

530

This should make the network hook create (if necessary)

531

and bring up a network interface.

532

</para>

533

</listitem>

534

</varlistentry>

535

536

537

538

<para>

539

This should make the network hook take down a network

540

interface, and delete it if it did not exist previously.

541

</para>

542

</listitem>

543

</varlistentry>

544

545

<term><literal>files</literal></term>

546

547

<para>

548

This should make the network hook print, <emphasis>one

549

file per line</emphasis>, all the files needed for it to

550

run. (These files will be copied into the initial RAM

551

filesystem.) Typical use is for a network hook which is

552

a shell script to print its needed binaries.

553

</para>

554

<para>

555

It is not necessary to print any non-executable files

556

already in the network hook directory, these will be

557

copied implicitly if they otherwise satisfy the name

558

requirements.

559

</para>

560

</listitem>

561

</varlistentry>

562

563

<term><literal>modules</literal></term>

564

565

<para>

566

This should make the network hook print, <emphasis>on

567

separate lines</emphasis>, all the kernel modules needed

568

for it to run. (These modules will be copied into the

569

initial RAM filesystem.) For instance, a tunnel

570

interface needs the

571

<quote><literal>tun</literal></quote> module.

572

</para>

573

</listitem>

574

</varlistentry>

575

</variablelist>

576

<para>

577

The network hook will be provided with a number of environment

578

variables:

579

</para>

580

581

582

<term><envar>MANDOSNETHOOKDIR</envar></term>

583

584

<para>

585

The network hook directory, specified to

586

<command>&COMMANDNAME;</command> by the

587

<option>--network-hook-dir</option> option. Note: this

588

should <emphasis>always</emphasis> be used by the

589

network hook to refer to itself or any files in the hook

590

directory it may require.

591

</para>

592

</listitem>

593

</varlistentry>

594

595

<term><envar>DEVICE</envar></term>

596

597

<para>

598

The network interfaces, as specified to

599

<command>&COMMANDNAME;</command> by the

600

<option>--interface</option> option, combined to one

601

string and separated by commas. If this is set, and

602

does not contain the interface a hook will bring up,

603

there is no reason for a hook to continue.

604

</para>

605

</listitem>

606

</varlistentry>

607

608

609

610

<para>

611

This will be the same as the first argument;

612

i.e. <quote><literal>start</literal></quote>,

613

<quote><literal>stop</literal></quote>,

614

<quote><literal>files</literal></quote>, or

615

<quote><literal>modules</literal></quote>.

616

</para>

617

</listitem>

618

</varlistentry>

619

620

<term><envar>VERBOSITY</envar></term>

621

622

<para>

623

This will be the <quote><literal>1</literal></quote> if

624

the <option>--debug</option> option is passed to

625

<command>&COMMANDNAME;</command>, otherwise

626

<quote><literal>0</literal></quote>.

627

</para>

628

</listitem>

629

</varlistentry>

630

631

<term><envar>DELAY</envar></term>

632

633

<para>

634

This will be the same as the <option>--delay</option>

635

option passed to <command>&COMMANDNAME;</command>. Is

636

only set if <envar>MODE</envar> is

637

<quote><literal>start</literal></quote> or

638

<quote><literal>stop</literal></quote>.

639

</para>

640

</listitem>

641

</varlistentry>

642

643

<term><envar>CONNECT</envar></term>

644

645

<para>

646

This will be the same as the <option>--connect</option>

647

option passed to <command>&COMMANDNAME;</command>. Is

648

only set if <option>--connect</option> is passed and

649

<envar>MODE</envar> is

650

<quote><literal>start</literal></quote> or

651

<quote><literal>stop</literal></quote>.

652

</para>

653

</listitem>

654

</varlistentry>

655

</variablelist>

656

<para>

657

A hook may not read from standard input, and should be

658

restrictive in printing to standard output or standard error

659

unless <varname>VERBOSITY</varname> is

660

<quote><literal>1</literal></quote>.

661

</para>

662

</refsect2>

663

</refsect1>

664

665

362

666

363

<title>FILES</title>

667

668

669

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

670

></term>

671

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

672

></term>

673

674

<para>

675

OpenPGP public and private key files, in <quote>ASCII

676

Armor</quote> format. These are the default file names,

677

they can be changed with the <option>--pubkey</option> and

678

<option>--seckey</option> options.

679

</para>

680

</listitem>

681

</varlistentry>

682

683

<term><filename

684

class="directory">/lib/mandos/network-hooks.d</filename></term>

685

686

<para>

687

Directory where network hooks are located. Change this

688

with the <option>--network-hook-dir</option> option. See

689

<xref linkend="network-hooks"/>.

690

</para>

691

</listitem>

692

</varlistentry>

693

</variablelist>

364

<para>

365

</para>

694

366

</refsect1>

695

367

696

368

697

369

698

<xi:include href="../bugs.xml"/>

370

<para>

371

</para>

699

372

</refsect1>

700

373

701

374

702

375

<title>EXAMPLE</title>

703

376

<para>

704

Note that normally, command line options will not be given

705

directly, but via options for the Mandos <citerefentry

706

><refentrytitle>plugin-runner</refentrytitle>

707

<manvolnum>8mandos</manvolnum></citerefentry>.

708

377

</para>

709

710

<para>

711

Normal invocation needs no options, if the network interfaces

712

can be automatically determined:

713

</para>

714

<para>

715

<userinput>&COMMANDNAME;</userinput>

716

</para>

717

</informalexample>

718

719

<para>

720

Search for Mandos servers (and connect to them) using one

721

specific interface:

722

</para>

723

<para>

724

725

<userinput>&COMMANDNAME; --interface eth1</userinput>

726

</para>

727

</informalexample>

728

729

<para>

730

Run in debug mode, and use a custom key:

731

</para>

732

<para>

733

734

735

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

736

737

</para>

738

</informalexample>

739

740

<para>

741

Run in debug mode, with a custom key, and do not use Zeroconf

742

to locate a server; connect directly to the IPv6 link-local

743

address <quote><systemitem class="ipaddress"

744

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

745

using interface eth2:

746

</para>

747

<para>

748

749

750

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

751

752

</para>

753

</informalexample>

754

378

</refsect1>

755

379

756

380

757

381

<title>SECURITY</title>

758

382

<para>

759

This program is set-uid to root, but will switch back to the

760

original (and presumably non-privileged) user and group after

761

bringing up the network interface.

762

</para>

763

<para>

764

To use this program for its intended purpose (see <xref

765

linkend="purpose"/>), the password for the root file system will

766

have to be given out to be stored in a server computer, after

767

having been encrypted using an OpenPGP key. This encrypted data

768

which will be stored in a server can only be decrypted by the

769

OpenPGP key, and the data will only be given out to those

770

clients who can prove they actually have that key. This key,

771

however, is stored unencrypted on the client side in its initial

772

<acronym>RAM</acronym> disk image file system. This is normally

773

readable by all, but this is normally fixed during installation

774

of this program; file permissions are set so that no-one is able

775

to read that file.

776

</para>

777

<para>

778

The only remaining weak point is that someone with physical

779

access to the client hard drive might turn off the client

780

computer, read the OpenPGP keys directly from the hard drive,

781

and communicate with the server. To safeguard against this, the

782

server is supposed to notice the client disappearing and stop

783

giving out the encrypted data. Therefore, it is important to

784

set the timeout and checker interval values tightly on the

785

server. See <citerefentry><refentrytitle

786

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

787

</para>

788

<para>

789

It will also help if the checker program on the server is

790

configured to request something from the client which can not be

791

spoofed by someone else on the network, like SSH server key

792

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

793

echo (<quote>ping</quote>) replies.

794

</para>

795

<para>

796

<emphasis>Note</emphasis>: This makes it completely insecure to

797

have <application >Mandos</application> clients which dual-boot

798

to another operating system which is <emphasis>not</emphasis>

799

trusted to keep the initial <acronym>RAM</acronym> disk image

800

confidential.

801

383

</para>

802

384

</refsect1>

803

385

804

386

805

387

806

388

<para>

807

<citerefentry><refentrytitle>intro</refentrytitle>

808

<manvolnum>8mandos</manvolnum></citerefentry>,

809

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

810

<manvolnum>8</manvolnum></citerefentry>,

811

<citerefentry><refentrytitle>crypttab</refentrytitle>

812

<manvolnum>5</manvolnum></citerefentry>,

813

389

<citerefentry><refentrytitle>mandos</refentrytitle>

814

390

<manvolnum>8</manvolnum></citerefentry>,

815

391

<citerefentry><refentrytitle>password-prompt</refentrytitle>

817

393

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

818

394

<manvolnum>8mandos</manvolnum></citerefentry>

819

395

</para>

820

821

822

<term>

823

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

824

</term>

825

826

<para>

827

Zeroconf is the network protocol standard used for finding

828

Mandos servers on the local network.

829

</para>

830

</listitem>

831

</varlistentry>

832

833

<term>

834

<ulink url="http://www.avahi.org/">Avahi</ulink>

835

</term>

836

837

<para>

838

Avahi is the library this program calls to find Zeroconf

839

services.

840

</para>

841

</listitem>

842

</varlistentry>

843

844

<term>

845

<ulink url="http://www.gnu.org/software/gnutls/"

846

>GnuTLS</ulink>

847

</term>

848

849

<para>

850

GnuTLS is the library this client uses to implement TLS for

851

communicating securely with the server, and at the same time

852

send the public OpenPGP key to the server.

853

</para>

854

</listitem>

855

</varlistentry>

856

857

<term>

858

<ulink url="http://www.gnupg.org/related_software/gpgme/"

859

>GPGME</ulink>

860

</term>

861

862

<para>

863

GPGME is the library used to decrypt the OpenPGP data sent

864

by the server.

865

</para>

866

</listitem>

867

</varlistentry>

868

869

<term>

870

RFC 4291: <citetitle>IP Version 6 Addressing

871

Architecture</citetitle>

872

</term>

873

874

875

876

<term>Section 2.2: <citetitle>Text Representation of

877

Addresses</citetitle></term>

878

879

</varlistentry>

880

881

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

882

Address</citetitle></term>

883

884

</varlistentry>

885

886

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

887

Addresses</citetitle></term>

888

889

<para>

890

This client uses IPv6 link-local addresses, which are

891

immediately usable since a link-local addresses is

892

automatically assigned to a network interface when it

893

is brought up.

894

</para>

895

</listitem>

896

</varlistentry>

897

</variablelist>

898

</listitem>

899

</varlistentry>

900

901

<term>

902

RFC 4346: <citetitle>The Transport Layer Security (TLS)

903

Protocol Version 1.1</citetitle>

904

</term>

905

906

<para>

907

TLS 1.1 is the protocol implemented by GnuTLS.

908

</para>

909

</listitem>

910

</varlistentry>

911

912

<term>

913

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

914

</term>

915

916

<para>

917

The data received from the server is binary encrypted

918

OpenPGP data.

919

</para>

920

</listitem>

921

</varlistentry>

922

923

<term>

924

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

925

Security</citetitle>

926

</term>

927

928

<para>

929

This is implemented by GnuTLS and used by this program so

930

that OpenPGP keys can be used.

931

</para>

932

</listitem>

933

</varlistentry>

934

</variablelist>

396

397

398

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

399

</para></listitem>

400

401

402

<ulink url="http://www.avahi.org/">Avahi</ulink>

403

</para></listitem>

404

405

406

<ulink

407

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

408

</para></listitem>

409

410

411

<ulink

412

url="http://www.gnupg.org/related_software/gpgme/"

413

>GPGME</ulink>

414

</para></listitem>

415

416

417

<citation>RFC 4880: <citetitle>OpenPGP Message

418

Format</citetitle></citation>

419

</para></listitem>

420

421

422

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

423

Transport Layer Security</citetitle></citation>

424

</para></listitem>

425

426

427

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

428

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

429

Unicast Addresses</citation>

430

</para></listitem>

431

</itemizedlist>

935

432

</refsect1>

433

936

434

</refentry>

937

938

435

939

436

940

437

Older »