To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 157
- compare with another revision
- download diff
- download tarball
- view history from revision 157
- Committer: Teddy Hogeborn
- Date: 2008-09-04 14:04:09 UTC
- Revision ID: teddy@fukt.bsnet.se-20080904140409-anr3hckg8ew7q60e
* plugin-runner.xml (BUGS): Document the non-recursiveness of the
"--config-file" option.
"--config-file" option.
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos">
5
<!ENTITY TIMESTAMP "2011-10-03">
6
<!ENTITY % common SYSTEM "common.ent">
7
%common;
6
<!ENTITY TIMESTAMP "2008-09-04">
8
7
]>
9
8
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
<refentryinfo>
10
<refentryinfo>
12
11
<title>Mandos Manual</title>
13
12
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
13
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
14
<productnumber>&VERSION;</productnumber>
16
15
<date>&TIMESTAMP;</date>
17
16
<authorgroup>
18
17
<author>
19
18
<firstname>Björn</firstname>
20
19
<surname>Påhlsson</surname>
21
20
<address>
22
<email>belorn@recompile.se</email>
21
<email>belorn@fukt.bsnet.se</email>
23
22
</address>
24
23
</author>
25
24
<author>
26
25
<firstname>Teddy</firstname>
27
26
<surname>Hogeborn</surname>
28
27
<address>
29
<email>teddy@recompile.se</email>
28
<email>teddy@fukt.bsnet.se</email>
30
29
</address>
31
30
</author>
32
31
</authorgroup>
33
32
<copyright>
34
33
<year>2008</year>
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
38
34
<holder>Teddy Hogeborn</holder>
39
35
<holder>Björn Påhlsson</holder>
40
36
</copyright>
41
37
<xi:include href="legalnotice.xml"/>
42
38
</refentryinfo>
43
39
44
40
<refmeta>
45
41
<refentrytitle>&COMMANDNAME;</refentrytitle>
46
42
<manvolnum>8</manvolnum>
52
48
Gives encrypted passwords to authenticated Mandos clients
53
49
</refpurpose>
54
50
</refnamediv>
55
51
56
52
<refsynopsisdiv>
57
53
<cmdsynopsis>
58
54
<command>&COMMANDNAME;</command>
87
83
<replaceable>DIRECTORY</replaceable></option></arg>
88
84
<sbr/>
89
85
<arg><option>--debug</option></arg>
90
<sbr/>
91
<arg><option>--debuglevel
92
<replaceable>LEVEL</replaceable></option></arg>
93
<sbr/>
94
<arg><option>--no-dbus</option></arg>
95
<sbr/>
96
<arg><option>--no-ipv6</option></arg>
97
86
</cmdsynopsis>
98
87
<cmdsynopsis>
99
88
<command>&COMMANDNAME;</command>
111
100
<arg choice="plain"><option>--check</option></arg>
112
101
</cmdsynopsis>
113
102
</refsynopsisdiv>
114
103
115
104
<refsect1 id="description">
116
105
<title>DESCRIPTION</title>
117
106
<para>
118
107
<command>&COMMANDNAME;</command> is a server daemon which
119
108
handles incoming request for passwords for a pre-defined list of
120
client host computers. For an introduction, see
121
<citerefentry><refentrytitle>intro</refentrytitle>
122
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
123
uses Zeroconf to announce itself on the local network, and uses
124
TLS to communicate securely with and to authenticate the
125
clients. The Mandos server uses IPv6 to allow Mandos clients to
126
use IPv6 link-local addresses, since the clients will probably
127
not have any other addresses configured (see <xref
128
linkend="overview"/>). Any authenticated client is then given
129
the stored pre-encrypted password for that specific client.
109
client host computers. The Mandos server uses Zeroconf to
110
announce itself on the local network, and uses TLS to
111
communicate securely with and to authenticate the clients. The
112
Mandos server uses IPv6 to allow Mandos clients to use IPv6
113
link-local addresses, since the clients will probably not have
114
any other addresses configured (see <xref linkend="overview"/>).
115
Any authenticated client is then given the stored pre-encrypted
116
password for that specific client.
130
117
</para>
131
118
</refsect1>
132
119
199
186
<xi:include href="mandos-options.xml" xpointer="debug"/>
200
187
</listitem>
201
188
</varlistentry>
202
203
<varlistentry>
204
<term><option>--debuglevel
205
<replaceable>LEVEL</replaceable></option></term>
206
<listitem>
207
<para>
208
Set the debugging log level.
209
<replaceable>LEVEL</replaceable> is a string, one of
210
<quote><literal>CRITICAL</literal></quote>,
211
<quote><literal>ERROR</literal></quote>,
212
<quote><literal>WARNING</literal></quote>,
213
<quote><literal>INFO</literal></quote>, or
214
<quote><literal>DEBUG</literal></quote>, in order of
215
increasing verbosity. The default level is
216
<quote><literal>WARNING</literal></quote>.
217
</para>
218
</listitem>
219
</varlistentry>
220
189
221
190
<varlistentry>
222
191
<term><option>--priority <replaceable>
223
192
PRIORITY</replaceable></option></term>
225
194
<xi:include href="mandos-options.xml" xpointer="priority"/>
226
195
</listitem>
227
196
</varlistentry>
228
197
229
198
<varlistentry>
230
199
<term><option>--servicename
231
200
<replaceable>NAME</replaceable></option></term>
234
203
xpointer="servicename"/>
235
204
</listitem>
236
205
</varlistentry>
237
206
238
207
<varlistentry>
239
208
<term><option>--configdir
240
209
<replaceable>DIRECTORY</replaceable></option></term>
249
218
</para>
250
219
</listitem>
251
220
</varlistentry>
252
221
253
222
<varlistentry>
254
223
<term><option>--version</option></term>
255
224
<listitem>
258
227
</para>
259
228
</listitem>
260
229
</varlistentry>
261
262
<varlistentry>
263
<term><option>--no-dbus</option></term>
264
<listitem>
265
<xi:include href="mandos-options.xml" xpointer="dbus"/>
266
<para>
267
See also <xref linkend="dbus_interface"/>.
268
</para>
269
</listitem>
270
</varlistentry>
271
272
<varlistentry>
273
<term><option>--no-ipv6</option></term>
274
<listitem>
275
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
276
</listitem>
277
</varlistentry>
278
230
</variablelist>
279
231
</refsect1>
280
232
281
233
<refsect1 id="overview">
282
234
<title>OVERVIEW</title>
283
235
<xi:include href="overview.xml"/>
287
239
<acronym>RAM</acronym> disk environment.
288
240
</para>
289
241
</refsect1>
290
242
291
243
<refsect1 id="protocol">
292
244
<title>NETWORK PROTOCOL</title>
293
245
<para>
345
297
</row>
346
298
</tbody></tgroup></table>
347
299
</refsect1>
348
300
349
301
<refsect1 id="checking">
350
302
<title>CHECKING</title>
351
303
<para>
352
304
The server will, by default, continually check that the clients
353
305
are still up. If a client has not been confirmed as being up
354
306
for some time, the client is assumed to be compromised and is no
355
longer eligible to receive the encrypted password. (Manual
356
intervention is required to re-enable a client.) The timeout,
357
extended timeout, checker program, and interval between checks
358
can be configured both globally and per client; see
359
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
360
<manvolnum>5</manvolnum></citerefentry>. A client successfully
361
receiving its password will also be treated as a successful
362
checker run.
363
</para>
364
</refsect1>
365
366
<refsect1 id="approval">
367
<title>APPROVAL</title>
368
<para>
369
The server can be configured to require manual approval for a
370
client before it is sent its secret. The delay to wait for such
371
approval and the default action (approve or deny) can be
372
configured both globally and per client; see <citerefentry>
307
longer eligible to receive the encrypted password. The timeout,
308
checker program, and interval between checks can be configured
309
both globally and per client; see <citerefentry>
373
310
<refentrytitle>mandos-clients.conf</refentrytitle>
374
<manvolnum>5</manvolnum></citerefentry>. By default all clients
375
will be approved immediately without delay.
376
</para>
377
<para>
378
This can be used to deny a client its secret if not manually
379
approved within a specified time. It can also be used to make
380
the server delay before giving a client its secret, allowing
381
optional manual denying of this specific client.
382
</para>
383
311
<manvolnum>5</manvolnum></citerefentry>.
312
</para>
384
313
</refsect1>
385
314
386
315
<refsect1 id="logging">
387
316
<title>LOGGING</title>
388
317
<para>
392
321
and also show them on the console.
393
322
</para>
394
323
</refsect1>
395
396
<refsect1 id="dbus_interface">
397
<title>D-BUS INTERFACE</title>
398
<para>
399
The server will by default provide a D-Bus system bus interface.
400
This interface will only be accessible by the root user or a
401
Mandos-specific user, if such a user exists. For documentation
402
of the D-Bus API, see the file <filename>DBUS-API</filename>.
403
</para>
404
</refsect1>
405
324
406
325
<refsect1 id="exit_status">
407
326
<title>EXIT STATUS</title>
408
327
<para>
410
329
critical error is encountered.
411
330
</para>
412
331
</refsect1>
413
332
414
333
<refsect1 id="environment">
415
334
<title>ENVIRONMENT</title>
416
335
<variablelist>
430
349
</varlistentry>
431
350
</variablelist>
432
351
</refsect1>
433
434
<refsect1 id="files">
352
353
<refsect1 id="file">
435
354
<title>FILES</title>
436
355
<para>
437
356
Use the <option>--configdir</option> option to change where
460
379
</listitem>
461
380
</varlistentry>
462
381
<varlistentry>
463
<term><filename>/var/run/mandos.pid</filename></term>
382
<term><filename>/var/run/mandos/mandos.pid</filename></term>
464
383
<listitem>
465
384
<para>
466
The file containing the process id of the
467
<command>&COMMANDNAME;</command> process started last.
385
The file containing the process id of
386
<command>&COMMANDNAME;</command>.
468
387
</para>
469
388
</listitem>
470
389
</varlistentry>
498
417
backtrace. This could be considered a feature.
499
418
</para>
500
419
<para>
501
Currently, if a client is disabled due to having timed out, the
502
server does not record this fact onto permanent storage. This
503
has some security implications, see <xref linkend="clients"/>.
420
Currently, if a client is declared <quote>invalid</quote> due to
421
having timed out, the server does not record this fact onto
422
permanent storage. This has some security implications, see
423
<xref linkend="CLIENTS"/>.
424
</para>
425
<para>
426
There is currently no way of querying the server of the current
427
status of clients, other than analyzing its <systemitem
428
class="service">syslog</systemitem> output.
504
429
</para>
505
430
<para>
506
431
There is no fine-grained control over logging and debug output.
509
434
Debug mode is conflated with running in the foreground.
510
435
</para>
511
436
<para>
512
The console log messages do not show a time stamp.
437
The console log messages does not show a time stamp.
513
438
</para>
514
439
<para>
515
440
This server does not check the expire time of clients’ OpenPGP
554
479
</para>
555
480
</informalexample>
556
481
</refsect1>
557
482
558
483
<refsect1 id="security">
559
484
<title>SECURITY</title>
560
<refsect2 id="server">
485
<refsect2 id="SERVER">
561
486
<title>SERVER</title>
562
487
<para>
563
488
Running this <command>&COMMANDNAME;</command> server program
564
489
should not in itself present any security risk to the host
565
computer running it. The program switches to a non-root user
566
soon after startup.
490
computer running it. The program does not need any special
491
privileges to run, and is designed to run as a non-root user.
567
492
</para>
568
493
</refsect2>
569
<refsect2 id="clients">
494
<refsect2 id="CLIENTS">
570
495
<title>CLIENTS</title>
571
496
<para>
572
497
The server only gives out its stored data to clients which
579
504
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
580
505
<manvolnum>5</manvolnum></citerefentry>)
581
506
<emphasis>must</emphasis> be made non-readable by anyone
582
except the user starting the server (usually root).
507
except the user running the server.
583
508
</para>
584
509
<para>
585
510
As detailed in <xref linkend="checking"/>, the status of all
588
513
</para>
589
514
<para>
590
515
If a client is compromised, its downtime should be duly noted
591
by the server which would therefore disable the client. But
592
if the server was ever restarted, it would re-read its client
593
list from its configuration file and again regard all clients
594
therein as enabled, and hence eligible to receive their
595
passwords. Therefore, be careful when restarting servers if
596
it is suspected that a client has, in fact, been compromised
597
by parties who may now be running a fake Mandos client with
598
the keys from the non-encrypted initial <acronym>RAM</acronym>
599
image of the client host. What should be done in that case
600
(if restarting the server program really is necessary) is to
601
stop the server program, edit the configuration file to omit
602
any suspect clients, and restart the server program.
516
by the server which would therefore declare the client
517
invalid. But if the server was ever restarted, it would
518
re-read its client list from its configuration file and again
519
regard all clients therein as valid, and hence eligible to
520
receive their passwords. Therefore, be careful when
521
restarting servers if it is suspected that a client has, in
522
fact, been compromised by parties who may now be running a
523
fake Mandos client with the keys from the non-encrypted
524
initial <acronym>RAM</acronym> image of the client host. What
525
should be done in that case (if restarting the server program
526
really is necessary) is to stop the server program, edit the
527
configuration file to omit any suspect clients, and restart
528
the server program.
603
529
</para>
604
530
<para>
605
531
For more details on client-side security, see
606
<citerefentry><refentrytitle>mandos-client</refentrytitle>
532
<citerefentry><refentrytitle>password-request</refentrytitle>
607
533
<manvolnum>8mandos</manvolnum></citerefentry>.
608
534
</para>
609
535
</refsect2>
610
536
</refsect1>
611
537
612
538
<refsect1 id="see_also">
613
539
<title>SEE ALSO</title>
614
540
<para>
615
<citerefentry><refentrytitle>intro</refentrytitle>
616
<manvolnum>8mandos</manvolnum></citerefentry>,
617
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
618
<manvolnum>5</manvolnum></citerefentry>,
619
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
620
<manvolnum>5</manvolnum></citerefentry>,
621
<citerefentry><refentrytitle>mandos-client</refentrytitle>
622
<manvolnum>8mandos</manvolnum></citerefentry>,
623
<citerefentry><refentrytitle>sh</refentrytitle>
624
<manvolnum>1</manvolnum></citerefentry>
541
<citerefentry>
542
<refentrytitle>mandos-clients.conf</refentrytitle>
543
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
<refentrytitle>mandos.conf</refentrytitle>
545
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
<refentrytitle>password-request</refentrytitle>
547
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
549
</citerefentry>
625
550
</para>
626
551
<variablelist>
627
552
<varlistentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0