/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-09-03 17:11:32 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080903171132-usevhlf0gi9rxqc3
* plugins.d/password-request.c (init_gnutls_global): Improved wording
                                                     in debug message.
                                                     Bug fix: Make
                                                     debug message
                                                     print to stderr,
                                                     not stdout.

* plugins.d/password-request.xml (SECURITY): Add text.

Show diffs side-by-side

added added

removed removed

Lines of Context:
plugins.d/password-request.xml
62
62
      </group>
63
63
      <sbr/>
64
64
      <group>
 
65
        <arg choice="plain"><option>--keydir
 
66
        <replaceable>DIRECTORY</replaceable></option></arg>
 
67
        <arg choice="plain"><option>-d
 
68
        <replaceable>DIRECTORY</replaceable></option></arg>
 
69
      </group>
 
70
      <sbr/>
 
71
      <group>
65
72
        <arg choice="plain"><option>--interface
66
73
        <replaceable>NAME</replaceable></option></arg>
67
74
        <arg choice="plain"><option>-i
184
191
      </varlistentry>
185
192
      
186
193
      <varlistentry>
 
194
        <term><option>--keydir=<replaceable
 
195
        >DIRECTORY</replaceable></option></term>
 
196
        <term><option>-d
 
197
        <replaceable>DIRECTORY</replaceable></option></term>
 
198
        <listitem>
 
199
          <para>
 
200
            Directory to read the OpenPGP key files
 
201
            <filename>pubkey.txt</filename> and
 
202
            <filename>seckey.txt</filename> from.  The default is
 
203
            <filename>/conf/conf.d/mandos</filename> (in the initial
 
204
            <acronym>RAM</acronym> disk environment).
 
205
          </para>
 
206
        </listitem>
 
207
      </varlistentry>
 
208
 
 
209
      <varlistentry>
187
210
        <term><option>--interface=
188
211
        <replaceable>NAME</replaceable></option></term>
189
212
        <term><option>-i
209
232
        <replaceable>FILE</replaceable></option></term>
210
233
        <listitem>
211
234
          <para>
212
 
            OpenPGP public key file name.  The default name is
213
 
            <quote><filename>/conf/conf.d/mandos/pubkey.txt</filename
214
 
            ></quote>.
 
235
            OpenPGP public key file base name.  This will be combined
 
236
            with the directory from the <option>--keydir</option>
 
237
            option to form an absolute file name.  The default name is
 
238
            <quote><literal>pubkey.txt</literal></quote>.
215
239
          </para>
216
240
        </listitem>
217
241
      </varlistentry>
223
247
        <replaceable>FILE</replaceable></option></term>
224
248
        <listitem>
225
249
          <para>
226
 
            OpenPGP secret key file name.  The default name is
227
 
            <quote><filename>/conf/conf.d/mandos/seckey.txt</filename
228
 
            ></quote>.
 
250
            OpenPGP secret key file base name.  This will be combined
 
251
            with the directory from the <option>--keydir</option>
 
252
            option to form an absolute file name.  The default name is
 
253
            <quote><literal>seckey.txt</literal></quote>.
229
254
          </para>
230
255
        </listitem>
231
256
      </varlistentry>
311
336
      <filename>/etc/crypttab</filename>, but it would then be
312
337
      impossible to enter a password for the encrypted root disk at
313
338
      the console, since this program does not read from the console
314
 
      at all.  This is why a separate plugin (<citerefentry>
315
 
      <refentrytitle>password-prompt</refentrytitle>
316
 
      <manvolnum>8mandos</manvolnum></citerefentry>) does that, which
317
 
      will be run in parallell to this one by the plugin runner.
 
339
      at all.  This is why a separate plugin does that, which will be
 
340
      run in parallell to this one by the plugin runner.
318
341
    </para>
319
342
  </refsect1>
320
343
  
395
418
    </informalexample>
396
419
    <informalexample>
397
420
      <para>
398
 
        Run in debug mode, and use a custom key:
 
421
        Run in debug mode, and use a custom key directory:
399
422
      </para>
400
423
      <para>
401
 
 
402
 
<!-- do not wrap this line -->
403
 
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>
404
 
 
 
424
        <!-- do not wrap this line -->
 
425
        <userinput>&COMMANDNAME; --debug --keydir keydir</userinput>
405
426
      </para>
406
427
    </informalexample>
407
428
    <informalexample>
408
429
      <para>
409
 
        Run in debug mode, with a custom key, and do not use Zeroconf
410
 
        to locate a server; connect directly to the IPv6 address
411
 
        <quote><systemitem class="ipaddress"
 
430
        Run in debug mode, with a custom key directory, and do not use
 
431
        Zeroconf to locate a server; connect directly to the IPv6
 
432
        address <quote><systemitem class="ipaddress"
412
433
        >2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,
413
434
        port 4711, using interface eth2:
414
435
      </para>
415
436
      <para>
416
437
 
417
438
<!-- do not wrap this line -->
418
 
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>
 
439
<userinput>&COMMANDNAME; --debug --keydir keydir --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>
419
440
 
420
441
      </para>
421
442
    </informalexample>
425
446
    <title>SECURITY</title>
426
447
    <para>
427
448
      This program is set-uid to root, but will switch back to the
428
 
      original (and presumably non-privileged) user and group after
429
 
      bringing up the network interface.
 
449
      original user and group after bringing up the network interface.
430
450
    </para>
431
451
    <para>
432
452
      To use this program for its intended purpose (see <xref
454
474
      >mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
455
475
    </para>
456
476
    <para>
457
 
      It will also help if the checker program on the server is
458
 
      configured to request something from the client which can not be
459
 
      spoofed by someone else on the network, unlike unencrypted
460
 
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
461
 
    </para>
462
 
    <para>
463
 
      <emphasis>Note</emphasis>: This makes it completely insecure to
464
 
      have <application >Mandos</application> clients which dual-boot
465
 
      to another operating system which is <emphasis>not</emphasis>
466
 
      trusted to keep the initial <acronym>RAM</acronym> disk image
467
 
      confidential.
 
477
      <emphasis>Note</emphasis>: This makes it impossible to have
 
478
      <application >Mandos</application> clients which dual-boot to
 
479
      another operating system which does <emphasis>not</emphasis> run
 
480
      a <application>Mandos</application> client.
468
481
    </para>
469
482
  </refsect1>
470
483
 
471
484
  <refsect1 id="see_also">
472
485
    <title>SEE ALSO</title>
473
486
    <para>
474
 
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
475
 
      <manvolnum>8</manvolnum></citerefentry>,
476
 
      <citerefentry><refentrytitle>crypttab</refentrytitle>
477
 
      <manvolnum>5</manvolnum></citerefentry>,
478
487
      <citerefentry><refentrytitle>mandos</refentrytitle>
479
488
      <manvolnum>8</manvolnum></citerefentry>,
480
489
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
482
491
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
483
492
      <manvolnum>8mandos</manvolnum></citerefentry>
484
493
    </para>
485
 
    <variablelist>
486
 
      <varlistentry>
487
 
        <term>
488
 
          <ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
489
 
        </term>
490
 
        <listitem>
491
 
          <para>
492
 
            Zeroconf is the network protocol standard used for finding
493
 
            Mandos servers on the local network.
494
 
          </para>
495
 
        </listitem>
496
 
      </varlistentry>
497
 
      <varlistentry>
498
 
        <term>
499
 
          <ulink url="http://www.avahi.org/">Avahi</ulink>
500
 
        </term>
501
 
      <listitem>
502
 
        <para>
503
 
          Avahi is the library this program calls to find Zeroconf
504
 
          services.
505
 
        </para>
506
 
      </listitem>
507
 
      </varlistentry>
508
 
      <varlistentry>
509
 
        <term>
510
 
          <ulink url="http://www.gnu.org/software/gnutls/"
511
 
          >GnuTLS</ulink>
512
 
        </term>
513
 
      <listitem>
514
 
        <para>
515
 
          GnuTLS is the library this client uses to implement TLS for
516
 
          communicating securely with the server, and at the same time
517
 
          send the public OpenPGP key to the server.
518
 
        </para>
519
 
      </listitem>
520
 
      </varlistentry>
521
 
      <varlistentry>
522
 
        <term>
523
 
          <ulink url="http://www.gnupg.org/related_software/gpgme/"
524
 
                 >GPGME</ulink>
525
 
        </term>
526
 
        <listitem>
527
 
          <para>
528
 
            GPGME is the library used to decrypt the OpenPGP data sent
529
 
            by the server.
530
 
          </para>
531
 
        </listitem>
532
 
      </varlistentry>
533
 
      <varlistentry>
534
 
        <term>
535
 
          RFC 4291: <citetitle>IP Version 6 Addressing
536
 
          Architecture</citetitle>
537
 
        </term>
538
 
        <listitem>
539
 
          <variablelist>
540
 
            <varlistentry>
541
 
              <term>Section 2.2: <citetitle>Text Representation of
542
 
              Addresses</citetitle></term>
543
 
              <listitem><para/></listitem>
544
 
            </varlistentry>
545
 
            <varlistentry>
546
 
              <term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
547
 
              Address</citetitle></term>
548
 
              <listitem><para/></listitem>
549
 
            </varlistentry>
550
 
            <varlistentry>
551
 
            <term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
552
 
            Addresses</citetitle></term>
553
 
            <listitem>
554
 
              <para>
555
 
                This client uses IPv6 link-local addresses, which are
556
 
                immediately usable since a link-local addresses is
557
 
                automatically assigned to a network interfaces when it
558
 
                is brought up.
559
 
              </para>
560
 
            </listitem>
561
 
            </varlistentry>
562
 
          </variablelist>
563
 
        </listitem>
564
 
      </varlistentry>
565
 
      <varlistentry>
566
 
        <term>
567
 
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
568
 
          Protocol Version 1.1</citetitle>
569
 
        </term>
570
 
      <listitem>
571
 
        <para>
572
 
          TLS 1.1 is the protocol implemented by GnuTLS.
573
 
        </para>
574
 
      </listitem>
575
 
      </varlistentry>
576
 
      <varlistentry>
577
 
        <term>
578
 
          RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
579
 
        </term>
580
 
      <listitem>
581
 
        <para>
582
 
          The data received from the server is binary encrypted
583
 
          OpenPGP data.
584
 
        </para>
585
 
      </listitem>
586
 
      </varlistentry>
587
 
      <varlistentry>
588
 
        <term>
589
 
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
590
 
          Security</citetitle>
591
 
        </term>
592
 
      <listitem>
593
 
        <para>
594
 
          This is implemented by GnuTLS and used by this program so
595
 
          that OpenPGP keys can be used.
596
 
        </para>
597
 
      </listitem>
598
 
      </varlistentry>
599
 
    </variablelist>
 
494
    <itemizedlist>
 
495
      <listitem><para>
 
496
        <ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
 
497
      </para></listitem>
 
498
      
 
499
      <listitem><para>
 
500
        <ulink url="http://www.avahi.org/">Avahi</ulink>
 
501
      </para></listitem>
 
502
      
 
503
      <listitem><para>
 
504
        <ulink
 
505
            url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>
 
506
      </para></listitem>
 
507
      
 
508
      <listitem><para>
 
509
        <ulink
 
510
        url="http://www.gnupg.org/related_software/gpgme/"
 
511
        >GPGME</ulink>
 
512
      </para></listitem>
 
513
      
 
514
      <listitem><para>
 
515
        <citation>RFC 4880: <citetitle>OpenPGP Message
 
516
        Format</citetitle></citation>
 
517
      </para></listitem>
 
518
      
 
519
      <listitem><para>
 
520
        <citation>RFC 5081: <citetitle>Using OpenPGP Keys for
 
521
        Transport Layer Security</citetitle></citation>
 
522
      </para></listitem>
 
523
      
 
524
      <listitem><para>
 
525
        <citation>RFC 4291: <citetitle>IP Version 6 Addressing
 
526
        Architecture</citetitle>, section 2.5.6, Link-Local IPv6
 
527
        Unicast Addresses</citation>
 
528
      </para></listitem>
 
529
    </itemizedlist>
600
530
  </refsect1>
601
531
 
602
532
</refentry>