133
122
</refsynopsisdiv>
135
124
<refsect1 id="description">
136
125
<title>DESCRIPTION</title>
138
127
<command>&COMMANDNAME;</command> is a client program that
139
128
communicates with <citerefentry><refentrytitle
140
129
>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>
141
to get a password. In slightly more detail, this client program
142
brings up network interfaces, uses the interfaces’ IPv6
143
link-local addresses to get network connectivity, uses Zeroconf
144
to find servers on the local network, and communicates with
145
servers using TLS with an OpenPGP key to ensure authenticity and
146
confidentiality. This client program keeps running, trying all
147
servers on the network, until it receives a satisfactory reply
148
or a TERM signal. After all servers have been tried, all
149
servers are periodically retried. If no servers are found it
150
will wait indefinitely for new servers to appear.
153
The network interfaces are selected like this: If any interfaces
154
are specified using the <option>--interface</option> option,
155
those interface are used. Otherwise,
156
<command>&COMMANDNAME;</command> will use all interfaces that
157
are not loopback interfaces, are not point-to-point interfaces,
158
are capable of broadcasting and do not have the NOARP flag (see
159
<citerefentry><refentrytitle>netdevice</refentrytitle>
160
<manvolnum>7</manvolnum></citerefentry>). (If the
161
<option>--connect</option> option is used, point-to-point
162
interfaces and non-broadcast interfaces are accepted.) If any
163
used interfaces are not up and running, they are first taken up
164
(and later taken down again on program exit).
167
Before network interfaces are selected, all <quote>network
168
hooks</quote> are run; see <xref linkend="network-hooks"/>.
130
to get a password. It uses IPv6 link-local addresses to get
131
network connectivity, Zeroconf to find servers, and TLS with an
132
OpenPGP key to ensure authenticity and confidentiality. It
133
keeps running, trying all servers on the network, until it
134
receives a satisfactory reply or a TERM signal is recieved.
171
137
This program is not meant to be run directly; it is really meant
228
<term><option>--interface=<replaceable
229
>NAME</replaceable></option></term>
194
<term><option>--keydir=<replaceable
195
>DIRECTORY</replaceable></option></term>
197
<replaceable>DIRECTORY</replaceable></option></term>
200
Directory to read the OpenPGP key files
201
<filename>pubkey.txt</filename> and
202
<filename>seckey.txt</filename> from. The default is
203
<filename>/conf/conf.d/mandos</filename> (in the initial
204
<acronym>RAM</acronym> disk environment).
210
<term><option>--interface=
211
<replaceable>NAME</replaceable></option></term>
231
213
<replaceable>NAME</replaceable></option></term>
234
Comma separated list of network interfaces that will be
235
brought up and scanned for Mandos servers to connect to.
236
The default is the empty string, which will automatically
237
use all appropriate interfaces.
240
If the <option>--connect</option> option is used, this
241
specifies the interface to use to connect to the address
245
Note that since this program will normally run in the
246
initial RAM disk environment, the interface must be an
247
interface which exists at that stage. Thus, the interface
248
can normally not be a pseudo-interface such as
249
<quote>br0</quote> or <quote>tun0</quote>; such interfaces
250
will not exist until much later in the boot process, and
251
can not be used by this program, unless created by a
252
<quote>network hook</quote> — see <xref
253
linkend="network-hooks"/>.
256
<replaceable>NAME</replaceable> can be the string
257
<quote><literal>none</literal></quote>; this will not use
258
any specific interface, and will not bring up an interface
259
on startup. This is not recommended, and only meant for
216
Network interface that will be brought up and scanned for
217
Mandos servers to connect to. The default it
218
<quote><literal>eth0</literal></quote>.
449
<refsect1 id="network-hooks">
450
<title>NETWORK HOOKS</title>
452
If a network interface like a bridge or tunnel is required to
453
find a Mandos server, this requires the interface to be up and
454
running before <command>&COMMANDNAME;</command> starts looking
455
for Mandos servers. This can be accomplished by creating a
456
<quote>network hook</quote> program, and placing it in a special
460
Before the network is used (and again before program exit), any
461
runnable programs found in the network hook directory are run
462
with the argument <quote><literal>start</literal></quote> or
463
<quote><literal>stop</literal></quote>. This should bring up or
464
down, respectively, any network interface which
465
<command>&COMMANDNAME;</command> should use.
467
<refsect2 id="hook-requirements">
468
<title>REQUIREMENTS</title>
470
A network hook must be an executable file, and its name must
471
consist entirely of upper and lower case letters, digits,
472
underscores, periods, and hyphens.
475
A network hook will receive one argument, which can be one of
480
<term><literal>start</literal></term>
483
This should make the network hook create (if necessary)
484
and bring up a network interface.
489
<term><literal>stop</literal></term>
492
This should make the network hook take down a network
493
interface, and delete it if it did not exist previously.
498
<term><literal>files</literal></term>
501
This should make the network hook print, <emphasis>one
502
file per line</emphasis>, all the files needed for it to
503
run. (These files will be copied into the initial RAM
504
filesystem.) Typical use is for a network hook which is
505
a shell script to print its needed binaries.
508
It is not necessary to print any non-executable files
509
already in the network hook directory, these will be
510
copied implicitly if they otherwise satisfy the name
516
<term><literal>modules</literal></term>
519
This should make the network hook print, <emphasis>on
520
separate lines</emphasis>, all the kernel modules needed
521
for it to run. (These modules will be copied into the
522
initial RAM filesystem.) For instance, a tunnel
524
<quote><literal>tun</literal></quote> module.
530
The network hook will be provided with a number of environment
535
<term><envar>MANDOSNETHOOKDIR</envar></term>
538
The network hook directory, specified to
539
<command>&COMMANDNAME;</command> by the
540
<option>--network-hook-dir</option> option. Note: this
541
should <emphasis>always</emphasis> be used by the
542
network hook to refer to itself or any files in the hook
543
directory it may require.
548
<term><envar>DEVICE</envar></term>
551
The network interfaces, as specified to
552
<command>&COMMANDNAME;</command> by the
553
<option>--interface</option> option, combined to one
554
string and separated by commas. If this is set, and
555
does not contain the interface a hook will bring up,
556
there is no reason for a hook to continue.
561
<term><envar>MODE</envar></term>
564
This will be the same as the first argument;
565
i.e. <quote><literal>start</literal></quote>,
566
<quote><literal>stop</literal></quote>,
567
<quote><literal>files</literal></quote>, or
568
<quote><literal>modules</literal></quote>.
573
<term><envar>VERBOSITY</envar></term>
576
This will be the <quote><literal>1</literal></quote> if
577
the <option>--debug</option> option is passed to
578
<command>&COMMANDNAME;</command>, otherwise
579
<quote><literal>0</literal></quote>.
584
<term><envar>DELAY</envar></term>
587
This will be the same as the <option>--delay</option>
588
option passed to <command>&COMMANDNAME;</command>. Is
589
only set if <envar>MODE</envar> is
590
<quote><literal>start</literal></quote> or
591
<quote><literal>stop</literal></quote>.
596
<term><envar>CONNECT</envar></term>
599
This will be the same as the <option>--connect</option>
600
option passed to <command>&COMMANDNAME;</command>. Is
601
only set if <option>--connect</option> is passed and
602
<envar>MODE</envar> is
603
<quote><literal>start</literal></quote> or
604
<quote><literal>stop</literal></quote>.
610
A hook may not read from standard input, and should be
611
restrictive in printing to standard output or standard error
612
unless <varname>VERBOSITY</varname> is
613
<quote><literal>1</literal></quote>.
618
<refsect1 id="files">
619
363
<title>FILES</title>
622
<term><filename>/conf/conf.d/mandos/pubkey.txt</filename
624
<term><filename>/conf/conf.d/mandos/seckey.txt</filename
628
OpenPGP public and private key files, in <quote>ASCII
629
Armor</quote> format. These are the default file names,
630
they can be changed with the <option>--pubkey</option> and
631
<option>--seckey</option> options.
637
class="directory">/lib/mandos/network-hooks.d</filename></term>
640
Directory where network hooks are located. Change this
641
with the <option>--network-hook-dir</option> option. See
642
<xref linkend="network-hooks"/>.
649
<!-- <refsect1 id="bugs"> -->
650
<!-- <title>BUGS</title> -->
655
374
<refsect1 id="example">
656
375
<title>EXAMPLE</title>
658
Note that normally, command line options will not be given
659
directly, but via options for the Mandos <citerefentry
660
><refentrytitle>plugin-runner</refentrytitle>
661
<manvolnum>8mandos</manvolnum></citerefentry>.
665
Normal invocation needs no options, if the network interface
666
can be automatically determined:
669
<userinput>&COMMANDNAME;</userinput>
674
Search for Mandos servers (and connect to them) using another
678
<!-- do not wrap this line -->
679
<userinput>&COMMANDNAME; --interface eth1</userinput>
684
Run in debug mode, and use a custom key:
688
<!-- do not wrap this line -->
689
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>
695
Run in debug mode, with a custom key, and do not use Zeroconf
696
to locate a server; connect directly to the IPv6 link-local
697
address <quote><systemitem class="ipaddress"
698
>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,
699
using interface eth2:
703
<!-- do not wrap this line -->
704
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>
710
380
<refsect1 id="security">
711
381
<title>SECURITY</title>
713
This program is set-uid to root, but will switch back to the
714
original (and presumably non-privileged) user and group after
715
bringing up the network interface.
718
To use this program for its intended purpose (see <xref
719
linkend="purpose"/>), the password for the root file system will
720
have to be given out to be stored in a server computer, after
721
having been encrypted using an OpenPGP key. This encrypted data
722
which will be stored in a server can only be decrypted by the
723
OpenPGP key, and the data will only be given out to those
724
clients who can prove they actually have that key. This key,
725
however, is stored unencrypted on the client side in its initial
726
<acronym>RAM</acronym> disk image file system. This is normally
727
readable by all, but this is normally fixed during installation
728
of this program; file permissions are set so that no-one is able
732
The only remaining weak point is that someone with physical
733
access to the client hard drive might turn off the client
734
computer, read the OpenPGP keys directly from the hard drive,
735
and communicate with the server. To safeguard against this, the
736
server is supposed to notice the client disappearing and stop
737
giving out the encrypted data. Therefore, it is important to
738
set the timeout and checker interval values tightly on the
739
server. See <citerefentry><refentrytitle
740
>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
743
It will also help if the checker program on the server is
744
configured to request something from the client which can not be
745
spoofed by someone else on the network, unlike unencrypted
746
<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
749
<emphasis>Note</emphasis>: This makes it completely insecure to
750
have <application >Mandos</application> clients which dual-boot
751
to another operating system which is <emphasis>not</emphasis>
752
trusted to keep the initial <acronym>RAM</acronym> disk image
757
386
<refsect1 id="see_also">
758
387
<title>SEE ALSO</title>
760
<citerefentry><refentrytitle>intro</refentrytitle>
761
<manvolnum>8mandos</manvolnum></citerefentry>,
762
<citerefentry><refentrytitle>cryptsetup</refentrytitle>
763
<manvolnum>8</manvolnum></citerefentry>,
764
<citerefentry><refentrytitle>crypttab</refentrytitle>
765
<manvolnum>5</manvolnum></citerefentry>,
766
389
<citerefentry><refentrytitle>mandos</refentrytitle>
767
390
<manvolnum>8</manvolnum></citerefentry>,
768
391
<citerefentry><refentrytitle>password-prompt</refentrytitle>
770
393
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
771
394
<manvolnum>8mandos</manvolnum></citerefentry>
776
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
780
Zeroconf is the network protocol standard used for finding
781
Mandos servers on the local network.
787
<ulink url="http://www.avahi.org/">Avahi</ulink>
791
Avahi is the library this program calls to find Zeroconf
798
<ulink url="http://www.gnu.org/software/gnutls/"
803
GnuTLS is the library this client uses to implement TLS for
804
communicating securely with the server, and at the same time
805
send the public OpenPGP key to the server.
811
<ulink url="http://www.gnupg.org/related_software/gpgme/"
816
GPGME is the library used to decrypt the OpenPGP data sent
823
RFC 4291: <citetitle>IP Version 6 Addressing
824
Architecture</citetitle>
829
<term>Section 2.2: <citetitle>Text Representation of
830
Addresses</citetitle></term>
831
<listitem><para/></listitem>
834
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
835
Address</citetitle></term>
836
<listitem><para/></listitem>
839
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
840
Addresses</citetitle></term>
843
This client uses IPv6 link-local addresses, which are
844
immediately usable since a link-local addresses is
845
automatically assigned to a network interfaces when it
855
RFC 4346: <citetitle>The Transport Layer Security (TLS)
856
Protocol Version 1.1</citetitle>
860
TLS 1.1 is the protocol implemented by GnuTLS.
866
RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
870
The data received from the server is binary encrypted
877
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
882
This is implemented by GnuTLS and used by this program so
883
that OpenPGP keys can be used.
398
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
402
<ulink url="http://www.avahi.org/">Avahi</ulink>
407
url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>
412
url="http://www.gnupg.org/related_software/gpgme/"
417
<citation>RFC 4880: <citetitle>OpenPGP Message
418
Format</citetitle></citation>
422
<citation>RFC 5081: <citetitle>Using OpenPGP Keys for
423
Transport Layer Security</citetitle></citation>
427
<citation>RFC 4291: <citetitle>IP Version 6 Addressing
428
Architecture</citetitle>, section 2.5.6, Link-Local IPv6
429
Unicast Addresses</citation>
891
435
<!-- Local Variables: -->
892
436
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
893
437
<!-- time-stamp-end: "[\"']>" -->