/mandos/trunk : revision 160

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-09-05 07:11:24 UTC
Revision ID: teddy@fukt.bsnet.se-20080905071124-9dq11jq5rfd6zfxf

* Makefile: Changed to use symbolic instead of octal modes throughout.
  (KEYDIR): New variable for the key directory.
  (install-server): Bug fix: remove "--parents" from install args.
  (install-client): Bug fix: - '' -  Also create key directory.  Do
                    not chmod plugin dir.  Create custom plugin directory
                    if not the same as normal plugin directory.  Add
                    "--dir" option to "mandos-keygen".  Add note about
                    running "mandos-keygen --password".
  (uninstall-server): Do not depend on the installed server binary,
                      since this made it impossible to do a purge
                      after an uninstall.
  (purge-client): Shred seckey.txt.  Use $(KEYDIR).

* README: Improved wording.

* initramfs-tools-hook: Use a loop to find prefix.  Also find keydir.
                        Remove "${DESTDIR}" from "copy_exec".  Do not
                        try to copy literal "*" if no custom plugins
                        are found.  Copy key files from keydir, not
                        config dir.  Only repair mode on directories
                        that actually exist.  Do not run chmod if
                        nothing needs repairing.

* plugin-runner.conf: New file.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

plugins.d/askpass-fifo.c

plugins.d/splashy.c

plugins.d/usplash.c

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2008-09-30">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-04">

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for <application>Mandos</application>

Client for mandos

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

113

</group>

114

</cmdsynopsis>

115

</refsynopsisdiv>

116

117

118

<title>DESCRIPTION</title>

119

<para>

215

</para>

216

</listitem>

217

</varlistentry>

218

219

220

<term><option>--seckey=<replaceable

221

>FILE</replaceable></option></term>

238

xpointer="priority"/>

239

</listitem>

240

</varlistentry>

241

242

243

<term><option>--dh-bits=<replaceable

244

>BITS</replaceable></option></term>

284

</para>

285

</listitem>

286

</varlistentry>

287

288

289

<term><option>--version</option></term>

290

296

</varlistentry>

297

</variablelist>

298

</refsect1>

299

300

301

<title>OVERVIEW</title>

302

<xi:include href="../overview.xml"/>

311

<filename>/etc/crypttab</filename>, but it would then be

312

impossible to enter a password for the encrypted root disk at

313

the console, since this program does not read from the console

314

at all. This is why a separate plugin runner (<citerefentry>

315

<refentrytitle>plugin-runner</refentrytitle>

316

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

317

both this program and others in in parallel,

318

<emphasis>one</emphasis> of which will prompt for passwords on

319

the system console.

314

at all. This is why a separate plugin (<citerefentry>

315

<refentrytitle>password-prompt</refentrytitle>

316

<manvolnum>8mandos</manvolnum></citerefentry>) does that, which

317

will be run in parallel to this one by the plugin runner.

320

318

</para>

321

319

</refsect1>

322

320

329

327

program will exit with a non-zero exit status only if a critical

330

328

error occurs. Otherwise, it will forever connect to new

331

329

<application>Mandos</application> servers as they appear, trying

332

to get a decryptable password and print it.

330

to get a decryptable password.

333

331

</para>

334

332

</refsect1>

335

333

368

366

369

367

370

368

371

369

372

370

373

371

<title>EXAMPLE</title>

374

372

<para>

423

421

</para>

424

422

</informalexample>

425

423

</refsect1>

426

424

427

425

428

426

<title>SECURITY</title>

429

427

<para>

449

447

The only remaining weak point is that someone with physical

450

448

access to the client hard drive might turn off the client

451

449

computer, read the OpenPGP keys directly from the hard drive,

452

and communicate with the server. To safeguard against this, the

453

server is supposed to notice the client disappearing and stop

454

giving out the encrypted data. Therefore, it is important to

455

set the timeout and checker interval values tightly on the

456

server. See <citerefentry><refentrytitle

450

and communicate with the server. The defense against this is

451

that the server is supposed to notice the client disappearing

452

and will stop giving out the encrypted data. Therefore, it is

453

important to set the timeout and checker interval values tightly

454

on the server. See <citerefentry><refentrytitle

457

455

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

458

456

</para>

459

457

<para>

470

468

confidential.

471

469

</para>

472

470

</refsect1>

473

471

474

472

475

473

476

474

<para>

601

599

</varlistentry>

602

600

</variablelist>

603

601

</refsect1>

602

604

603

</refentry>

605

606

604

607

605

608

606

Older »