/mandos/trunk : revision 148

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-09-03 17:34:29 UTC
Revision ID: teddy@fukt.bsnet.se-20080903173429-db2mjtddf7mgbx8z

* plugins.d/password-request.xml (OVERVIEW): Refer to
                                             password-prompt(8) by
                                             name.
  (SECURITY): Improved wording.  Add paragraph about insecurity of
              ping.
  (SEE ALSO): Add references to cryptsetup(8) and crypttab(5).
              Changed to be a <variablelist> and added text.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/watch

default-mandos

init.d-mandos

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2011-08-08">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

111

100

<arg choice="plain"><option>--check</option></arg>

112

101

</cmdsynopsis>

113

102

</refsynopsisdiv>

114

103

115

104

116

105

<title>DESCRIPTION</title>

117

106

<para>

197

186

<xi:include href="mandos-options.xml" xpointer="debug"/>

198

187

</listitem>

199

188

</varlistentry>

200

201

202

<term><option>--debuglevel

203

<replaceable>LEVEL</replaceable></option></term>

204

205

<para>

206

Set the debugging log level.

207

<replaceable>LEVEL</replaceable> is a string, one of

208

<quote><literal>CRITICAL</literal></quote>,

209

<quote><literal>ERROR</literal></quote>,

210

<quote><literal>WARNING</literal></quote>,

211

<quote><literal>INFO</literal></quote>, or

212

<quote><literal>DEBUG</literal></quote>, in order of

213

increasing verbosity. The default level is

214

<quote><literal>WARNING</literal></quote>.

215

</para>

216

</listitem>

217

</varlistentry>

218

189

219

190

220

191

<term><option>--priority <replaceable>

221

192

PRIORITY</replaceable></option></term>

223

194

<xi:include href="mandos-options.xml" xpointer="priority"/>

224

195

</listitem>

225

196

</varlistentry>

226

197

227

198

228

199

<term><option>--servicename

229

200

232

203

xpointer="servicename"/>

233

204

</listitem>

234

205

</varlistentry>

235

206

236

207

237

208

<term><option>--configdir

238

209

<replaceable>DIRECTORY</replaceable></option></term>

247

218

</para>

248

219

</listitem>

249

220

</varlistentry>

250

221

251

222

252

223

<term><option>--version</option></term>

253

224

256

227

</para>

257

228

</listitem>

258

229

</varlistentry>

259

260

261

262

263

<xi:include href="mandos-options.xml" xpointer="dbus"/>

264

<para>

265

See also <xref linkend="dbus_interface"/>.

266

</para>

267

</listitem>

268

</varlistentry>

269

270

271

272

273

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

274

</listitem>

275

</varlistentry>

276

230

</variablelist>

277

231

</refsect1>

278

232

279

233

280

234

<title>OVERVIEW</title>

281

235

<xi:include href="overview.xml"/>

285

239

<acronym>RAM</acronym> disk environment.

286

240

</para>

287

241

</refsect1>

288

242

289

243

290

244

<title>NETWORK PROTOCOL</title>

291

245

<para>

343

297

</row>

344

298

</tbody></tgroup></table>

345

299

</refsect1>

346

300

347

301

348

302

<title>CHECKING</title>

349

303

<para>

350

304

The server will, by default, continually check that the clients

351

305

are still up. If a client has not been confirmed as being up

352

306

for some time, the client is assumed to be compromised and is no

353

longer eligible to receive the encrypted password. (Manual

354

intervention is required to re-enable a client.) The timeout,

307

longer eligible to receive the encrypted password. The timeout,

355

308

checker program, and interval between checks can be configured

356

309

both globally and per client; see <citerefentry>

357

310

<refentrytitle>mandos-clients.conf</refentrytitle>

358

<manvolnum>5</manvolnum></citerefentry>. A client successfully

359

receiving its password will also be treated as a successful

360

checker run.

361

</para>

362

</refsect1>

363

364

365

<title>APPROVAL</title>

366

<para>

367

The server can be configured to require manual approval for a

368

client before it is sent its secret. The delay to wait for such

369

approval and the default action (approve or deny) can be

370

configured both globally and per client; see <citerefentry>

371

<refentrytitle>mandos-clients.conf</refentrytitle>

372

<manvolnum>5</manvolnum></citerefentry>. By default all clients

373

will be approved immediately without delay.

374

</para>

375

<para>

376

This can be used to deny a client its secret if not manually

377

approved within a specified time. It can also be used to make

378

the server delay before giving a client its secret, allowing

379

optional manual denying of this specific client.

380

</para>

381

382

</refsect1>

383

311

<manvolnum>5</manvolnum></citerefentry>.

312

</para>

313

</refsect1>

314

384

315

385

316

<title>LOGGING</title>

386

317

<para>

390

321

and also show them on the console.

391

322

</para>

392

323

</refsect1>

393

394

395

<title>D-BUS INTERFACE</title>

396

<para>

397

The server will by default provide a D-Bus system bus interface.

398

This interface will only be accessible by the root user or a

399

Mandos-specific user, if such a user exists. For documentation

400

of the D-Bus API, see the file <filename>DBUS-API</filename>.

401

</para>

402

</refsect1>

403

324

404

325

405

326

<title>EXIT STATUS</title>

406

327

<para>

408

329

critical error is encountered.

409

330

</para>

410

331

</refsect1>

411

332

412

333

413

334

<title>ENVIRONMENT</title>

414

335

428

349

</varlistentry>

429

350

</variablelist>

430

351

</refsect1>

431

432

352

353

433

354

<title>FILES</title>

434

355

<para>

435

356

Use the <option>--configdir</option> option to change where

458

379

</listitem>

459

380

</varlistentry>

460

381

461

<term><filename>/var/run/mandos.pid</filename></term>

382

<term><filename>/var/run/mandos/mandos.pid</filename></term>

462

383

463

384

<para>

464

The file containing the process id of the

465

<command>&COMMANDNAME;</command> process started last.

385

The file containing the process id of

386

<command>&COMMANDNAME;</command>.

466

387

</para>

467

388

</listitem>

468

389

</varlistentry>

496

417

backtrace. This could be considered a feature.

497

418

</para>

498

419

<para>

499

Currently, if a client is disabled due to having timed out, the

500

server does not record this fact onto permanent storage. This

501

has some security implications, see <xref linkend="clients"/>.

420

Currently, if a client is declared <quote>invalid</quote> due to

421

having timed out, the server does not record this fact onto

422

permanent storage. This has some security implications, see

423

<xref linkend="CLIENTS"/>.

424

</para>

425

<para>

426

There is currently no way of querying the server of the current

427

status of clients, other than analyzing its <systemitem

428

class="service">syslog</systemitem> output.

502

429

</para>

503

430

<para>

504

431

There is no fine-grained control over logging and debug output.

507

434

Debug mode is conflated with running in the foreground.

508

435

</para>

509

436

<para>

510

The console log messages do not show a time stamp.

511

</para>

512

<para>

513

This server does not check the expire time of clients’ OpenPGP

514

keys.

437

The console log messages does not show a timestamp.

515

438

</para>

516

439

</refsect1>

517

440

552

475

</para>

553

476

</informalexample>

554

477

</refsect1>

555

478

556

479

557

480

<title>SECURITY</title>

558

481

559

482

<title>SERVER</title>

560

483

<para>

561

484

Running this <command>&COMMANDNAME;</command> server program

562

485

should not in itself present any security risk to the host

563

computer running it. The program switches to a non-root user

564

soon after startup.

486

computer running it. The program does not need any special

487

privileges to run, and is designed to run as a non-root user.

565

488

</para>

566

489

</refsect2>

567

490

568

491

<title>CLIENTS</title>

569

492

<para>

570

493

The server only gives out its stored data to clients which

577

500

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

578

501

<manvolnum>5</manvolnum></citerefentry>)

579

502

<emphasis>must</emphasis> be made non-readable by anyone

580

except the user starting the server (usually root).

503

except the user running the server.

581

504

</para>

582

505

<para>

583

506

As detailed in <xref linkend="checking"/>, the status of all

586

509

</para>

587

510

<para>

588

511

If a client is compromised, its downtime should be duly noted

589

by the server which would therefore disable the client. But

590

if the server was ever restarted, it would re-read its client

591

list from its configuration file and again regard all clients

592

therein as enabled, and hence eligible to receive their

593

passwords. Therefore, be careful when restarting servers if

594

it is suspected that a client has, in fact, been compromised

595

by parties who may now be running a fake Mandos client with

596

the keys from the non-encrypted initial <acronym>RAM</acronym>

597

image of the client host. What should be done in that case

598

(if restarting the server program really is necessary) is to

599

stop the server program, edit the configuration file to omit

600

any suspect clients, and restart the server program.

512

by the server which would therefore declare the client

513

invalid. But if the server was ever restarted, it would

514

re-read its client list from its configuration file and again

515

regard all clients therein as valid, and hence eligible to

516

receive their passwords. Therefore, be careful when

517

restarting servers if it is suspected that a client has, in

518

fact, been compromised by parties who may now be running a

519

fake Mandos client with the keys from the non-encrypted

520

initial <acronym>RAM</acronym> image of the client host. What

521

should be done in that case (if restarting the server program

522

really is necessary) is to stop the server program, edit the

523

configuration file to omit any suspect clients, and restart

524

the server program.

601

525

</para>

602

526

<para>

603

527

For more details on client-side security, see

604

<citerefentry><refentrytitle>mandos-client</refentrytitle>

528

<citerefentry><refentrytitle>password-request</refentrytitle>

605

529

<manvolnum>8mandos</manvolnum></citerefentry>.

606

530

</para>

607

531

</refsect2>

608

532

</refsect1>

609

533

610

534

611

535

612

536

<para>

613

<citerefentry><refentrytitle>intro</refentrytitle>

614

<manvolnum>8mandos</manvolnum></citerefentry>,

615

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

616

<manvolnum>5</manvolnum></citerefentry>,

617

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

618

<manvolnum>5</manvolnum></citerefentry>,

619

<citerefentry><refentrytitle>mandos-client</refentrytitle>

620

<manvolnum>8mandos</manvolnum></citerefentry>,

621

622

537

538

<refentrytitle>mandos-clients.conf</refentrytitle>

539

540

<refentrytitle>mandos.conf</refentrytitle>

541

542

<refentrytitle>password-request</refentrytitle>

543

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

544

545

</citerefentry>

623

546

</para>

624

547

625

548

Older »