/mandos/trunk : revision 147

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-09-03 17:11:32 UTC
Revision ID: teddy@fukt.bsnet.se-20080903171132-usevhlf0gi9rxqc3

* plugins.d/password-request.c (init_gnutls_global): Improved wording
                                                     in debug message.
                                                     Bug fix: Make
                                                     debug message
                                                     print to stderr,
                                                     not stdout.

* plugins.d/password-request.xml (SECURITY): Add text.

files modified:
Makefile

TODO

mandos-options.xml

plugins.d/password-request.c

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-02">

<!ENTITY TIMESTAMP "2008-09-03">

128

communicates with <citerefentry><refentrytitle

129

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find the server, and TLS with

132

an OpenPGP key to ensure authenticity and confidentiality. It

131

network connectivity, Zeroconf to find servers, and TLS with an

132

OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply.

134

receives a satisfactory reply or a TERM signal is recieved.

135

</para>

136

<para>

137

This program is not meant to be run directly; it is really meant

138

to run as a plugin of the <application>Mandos</application>

139

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

140

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn

141

runs as a <quote>keyscript</quote> specified in the

142

<citerefentry><refentrytitle>crypttab</refentrytitle>

143

<manvolnum>5</manvolnum></citerefentry> file.

140

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

141

initial <acronym>RAM</acronym> disk environment because it is

142

specified as a <quote>keyscript</quote> in the <citerefentry>

143

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

144

</citerefentry> file.

144

145

</para>

145

146

</refsect1>

146

147

154

155

</para>

155

156

</refsect1>

156

157

158

<title>OVERVIEW</title>

159

<xi:include href="overview.xml"/>

160

<para>

161

This program is the client part. It is a plugin started by

162

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

164

an initial <acronym>RAM</acronym> disk environment.

165

</para>

166

<para>

167

This program could, theoretically, be used as a keyscript in

168

<filename>/etc/crypttab</filename>, but it would then be

169

impossible to enter the encrypted root disk password at the

170

console, since this program does not read from the console at

171

all. This is why a separate plugin does that, which will be run

172

in parallell to this one.

173

</para>

174

</refsect1>

175

176

158

177

159

<title>OPTIONS</title>

178

160

<para>

188

170

189

171

190

172

<term><option>--connect=<replaceable

191

>IPADDR</replaceable><literal>:</literal><replaceable

173

>ADDRESS</replaceable><literal>:</literal><replaceable

192

174

>PORT</replaceable></option></term>

193

175

<term><option>-c

194

<replaceable>IPADDR</replaceable><literal>:</literal

176

<replaceable>ADDRESS</replaceable><literal>:</literal

195

177

><replaceable>PORT</replaceable></option></term>

196

178

197

179

<para>

202

184

assumed to separate the address from the port number.

203

185

</para>

204

186

<para>

205

This option is normally only useful for debugging.

187

This option is normally only useful for testing and

188

debugging.

206

189

</para>

207

190

</listitem>

208

191

</varlistentry>

234

217

Mandos servers to connect to. The default it

235

218

<quote><literal>eth0</literal></quote>.

236

219

</para>

220

<para>

221

If the <option>--connect</option> option is used, this

222

specifies the interface to use to connect to the address

223

given.

224

</para>

237

225

</listitem>

238

226

</varlistentry>

239

227

244

232

245

233

246

234

<para>

247

OpenPGP public key file name. This will be combined with

248

the directory from the <option>--keydir</option> option to

249

form an absolute file name. The default name is

235

OpenPGP public key file base name. This will be combined

236

with the directory from the <option>--keydir</option>

237

option to form an absolute file name. The default name is

250

238

<quote><literal>pubkey.txt</literal></quote>.

251

239

</para>

252

240

</listitem>

259

247

260

248

261

249

<para>

262

OpenPGP secret key file name. This will be combined with

263

the directory from the <option>--keydir</option> option to

264

form an absolute file name. The default name is

250

OpenPGP secret key file base name. This will be combined

251

with the directory from the <option>--keydir</option>

252

option to form an absolute file name. The default name is

265

253

<quote><literal>seckey.txt</literal></quote>.

266

254

</para>

267

255

</listitem>

271

259

<term><option>--priority=<replaceable

272

260

>STRING</replaceable></option></term>

273

261

274

<xi:include href="mandos-options.xml" xpointer="priority"/>

262

<xi:include href="../mandos-options.xml"

263

xpointer="priority"/>

275

264

</listitem>

276

265

</varlistentry>

277

266

333

322

</variablelist>

334

323

</refsect1>

335

324

325

326

<title>OVERVIEW</title>

327

<xi:include href="../overview.xml"/>

328

<para>

329

This program is the client part. It is a plugin started by

330

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

331

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

332

an initial <acronym>RAM</acronym> disk environment.

333

</para>

334

<para>

335

This program could, theoretically, be used as a keyscript in

336

<filename>/etc/crypttab</filename>, but it would then be

337

impossible to enter a password for the encrypted root disk at

338

the console, since this program does not read from the console

339

at all. This is why a separate plugin does that, which will be

340

run in parallell to this one by the plugin runner.

341

</para>

342

</refsect1>

343

336

344

337

345

<title>EXIT STATUS</title>

338

346

<para>

341

349

successfully decrypted and output on standard output. The

342

350

program will exit with a non-zero exit status only if a critical

343

351

error occurs. Otherwise, it will forever connect to new

344

<application>Mandosservers</application> servers as they appear,

345

trying to get a decryptable password.

346

</para>

347

</refsect1>

348

349

350

352

<application>Mandos</application> servers as they appear, trying

353

to get a decryptable password.

354

</para>

355

</refsect1>

356

357

358

<title>ENVIRONMENT</title>

359

<para>

360

This program does not use any environment variables, not even

361

the ones provided by <citerefentry><refentrytitle

362

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

363

</citerefentry>.

364

</para>

365

</refsect1>

366

367

368

<title>FILES</title>

369

370

371

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

372

></term>

373

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

374

></term>

375

376

<para>

377

OpenPGP public and private key files, in <quote>ASCII

378

Armor</quote> format. These are the default file names,

379

they can be changed with the <option>--pubkey</option> and

380

<option>--seckey</option> options.

381

</para>

382

</listitem>

383

</varlistentry>

384

</variablelist>

385

</refsect1>

386

387

388

351

389

352

353

390

354

391

355

356

357

<title>FILES</title>

358

<para>

359

</para>

360

</refsect1>

361

362

363

364

<para>

365

</para>

366

</refsect1>

367

392

368

393

369

394

<title>EXAMPLE</title>

370

395

<para>

396

Note that normally, command line options will not be given

397

directly, but via options for the Mandos <citerefentry

398

><refentrytitle>plugin-runner</refentrytitle>

399

<manvolnum>8mandos</manvolnum></citerefentry>.

371

400

</para>

401

402

<para>

403

Normal invocation needs no options, if the network interface

404

is <quote>eth0</quote>:

405

</para>

406

<para>

407

<userinput>&COMMANDNAME;</userinput>

408

</para>

409

</informalexample>

410

411

<para>

412

Search for Mandos servers on another interface:

413

</para>

414

<para>

415

416

<userinput>&COMMANDNAME; --interface eth1</userinput>

417

</para>

418

</informalexample>

419

420

<para>

421

Run in debug mode, and use a custom key directory:

422

</para>

423

<para>

424

425

<userinput>&COMMANDNAME; --debug --keydir keydir</userinput>

426

</para>

427

</informalexample>

428

429

<para>

430

Run in debug mode, with a custom key directory, and do not use

431

Zeroconf to locate a server; connect directly to the IPv6

432

address <quote><systemitem class="ipaddress"

433

>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,

434

port 4711, using interface eth2:

435

</para>

436

<para>

437

438

439

<userinput>&COMMANDNAME; --debug --keydir keydir --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

440

441

</para>

442

</informalexample>

372

443

</refsect1>

373

444

374

445

375

446

<title>SECURITY</title>

376

447

<para>

448

This program is set-uid to root, but will switch back to the

449

original user and group after bringing up the network interface.

450

</para>

451

<para>

452

To use this program for its intended purpose (see <xref

453

linkend="purpose"/>), the password for the root file system will

454

have to be given out to be stored in a server computer, after

455

having been encrypted using an OpenPGP key. This encrypted data

456

which will be stored in a server can only be decrypted by the

457

OpenPGP key, and the data will only be given out to those

458

clients who can prove they actually have that key. This key,

459

however, is stored unencrypted on the client side in its initial

460

<acronym>RAM</acronym> disk image file system. This is normally

461

readable by all, but this is normally fixed during installation

462

of this program; file permissions are set so that no-one is able

463

to read that file.

464

</para>

465

<para>

466

The only remaining weak point is that someone with physical

467

access to the client hard drive might turn off the client

468

computer, read the OpenPGP keys directly from the hard drive,

469

and communicate with the server. The defense against this is

470

that the server is supposed to notice the client disappearing

471

and will stop giving out the encrypted data. Therefore, it is

472

important to set the timeout and checker interval values tightly

473

on the server. See <citerefentry><refentrytitle

474

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

475

</para>

476

<para>

477

<emphasis>Note</emphasis>: This makes it impossible to have

478

<application >Mandos</application> clients which dual-boot to

479

another operating system which does <emphasis>not</emphasis> run

480

a <application>Mandos</application> client.

377

481

</para>

378

482

</refsect1>

379

483

403

507

404

508

405

509

<ulink

406

url="http://www.gnupg.org/related_software/gpgme/">

407

GPGME</ulink>

510

url="http://www.gnupg.org/related_software/gpgme/"

511

>GPGME</ulink>

408

512

</para></listitem>

409

513

410

514

Older »