/mandos/trunk : revision 165

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/password-agent.xml

Committer: Teddy Hogeborn
Date: 2008-09-05 18:37:28 UTC
Revision ID: teddy@fukt.bsnet.se-20080905183728-l0m8v3vqa302uwrw

* mandos (main): Use EAFP with pidfile.

files added:
initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

dracut-module/password-agent.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "password-agent">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos client as a systemd password agent.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg><option>--agent-directory=<replaceable

>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--helper-directory=<replaceable

>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--user=<replaceable

>USERID</replaceable></option></arg>

<sbr/>

<arg><option>--group=<replaceable

>GROUPID</replaceable></option></arg>

<sbr/>

<arg>

<replaceable>MANDOS_CLIENT</replaceable>

<arg choice="plain"><replaceable>OPTIONS</replaceable></arg>

</group>

</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

</cmdsynopsis>

100

101

<command>&COMMANDNAME;</command>

102

103

<arg choice="plain"><option>--version</option></arg>

104

105

</group>

106

</cmdsynopsis>

107

</refsynopsisdiv>

108

109

110

<title>DESCRIPTION</title>

111

<para>

112

<command>&COMMANDNAME;</command> is a program which is meant to

113

be a <citerefentry><refentrytitle>systemd</refentrytitle>

114

<manvolnum>1</manvolnum></citerefentry> <quote>Password

115

Agent</quote> (See <ulink

116

url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"

117

>Password Agents</ulink>). The aim of this program is therefore

118

to acquire and then send a password to some other program which

119

will use the password to unlock the encrypted root disk.

120

</para>

121

<para>

122

This program is not meant to be invoked directly, but can be in

123

order to test it.

124

</para>

125

</refsect1>

126

127

128

<title>PURPOSE</title>

129

<para>

130

The purpose of this is to enable <emphasis>remote and unattended

131

rebooting</emphasis> of client host computer with an

132

<emphasis>encrypted root file system</emphasis>. See <xref

133

linkend="overview"/> for details.

134

</para>

135

</refsect1>

136

137

138

<title>OPTIONS</title>

139

140

141

142

<term><option>--agent-directory

143

<replaceable>DIRECTORY</replaceable></option></term>

144

145

<para>

146

Specify a different agent directory. The default is

147

<quote><filename class="directory"

148

>/run/systemd/ask-password</filename ></quote> as per the

149

<ulink

150

url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"

151

>Password Agents</ulink> specification.

152

</para>

153

</listitem>

154

</varlistentry>

155

156

157

<term><option>--helper-directory

158

<replaceable>DIRECTORY</replaceable></option></term>

159

160

<para>

161

Specify a different helper directory. The default is

162

<quote><filename class="directory"

163

>/lib/mandos/plugin-helpers</filename

164

></quote>, which

165

will exist in the initial <acronym>RAM</acronym> disk

166

environment. (This will simply be passed to the

167

<replaceable>MANDOS_CLIENT</replaceable> program via the

168

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

169

See

170

<citerefentry><refentrytitle>mandos-client</refentrytitle

171

><manvolnum>8mandos</manvolnum></citerefentry>.)

172

</para>

173

</listitem>

174

</varlistentry>

175

176

177

<term><option>--user

178

<replaceable>USERID</replaceable></option></term>

179

180

<para>

181

Change real user ID to <replaceable>USERID</replaceable>

182

when running <replaceable>MANDOS_CLIENT</replaceable>.

183

The default is 65534. <emphasis>Note:</emphasis> This

184

must be a number, not a name.

185

</para>

186

</listitem>

187

</varlistentry>

188

189

190

<term><option>--group

191

<replaceable>GROUPID</replaceable></option></term>

192

193

<para>

194

Change real group ID to <replaceable>GROUPID</replaceable>

195

when running <replaceable>MANDOS_CLIENT</replaceable>.

196

The default is 65534. <emphasis>Note:</emphasis> This

197

must be a number, not a name.

198

</para>

199

</listitem>

200

</varlistentry>

201

202

203

<term><replaceable>MANDOS_CLIENT</replaceable></term>

204

205

<para>

206

This specifies the file name for

207

<citerefentry><refentrytitle>mandos-client</refentrytitle

208

><manvolnum>8mandos</manvolnum></citerefentry>. If the

209

<quote><option>--</option></quote> option is given, any

210

following options are passed to the <replaceable

211

>MANDOS_CLIENT</replaceable> program. The default is

212

<quote><filename

213

>/lib/mandos/plugins.d/mandos-client</filename ></quote>

214

(which is the correct location for the initial

215

<acronym>RAM</acronym> disk environment) without any

216

options.

217

</para>

218

</listitem>

219

</varlistentry>

220

221

222

223

224

225

<para>

226

Gives a help message about options and their meanings.

227

</para>

228

</listitem>

229

</varlistentry>

230

231

232

233

234

<para>

235

Ignore normal operation; instead only run self-tests.

236

Adding the <option>--help</option> option may show more

237

options possible in combination with

238

<option>--test</option>.

239

</para>

240

</listitem>

241

</varlistentry>

242

243

244

<term><option>--usage</option></term>

245

246

<para>

247

Gives a short usage message.

248

</para>

249

</listitem>

250

</varlistentry>

251

252

253

<term><option>--version</option></term>

254

255

256

<para>

257

Prints the program version.

258

</para>

259

</listitem>

260

</varlistentry>

261

</variablelist>

262

</refsect1>

263

264

265

<title>OVERVIEW</title>

266

<xi:include href="../overview.xml"/>

267

<para>

268

This program, &COMMANDNAME;, will run on the client side in the

269

initial <acronym>RAM</acronym> disk environment, and is

270

responsible for getting a password from the Mandos client

271

program itself, and to send that password to whatever is

272

currently asking for a password using the systemd <ulink

273

url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"

274

>Password Agents</ulink> mechanism.

275

</para>

276

<para>To accomplish this, &COMMANDNAME; runs the

277

<command>mandos-client</command> program (which is the actual

278

client program communicating with the Mandos server) or,

279

alternatively, any executable file specified as

280

<replaceable>MANDOS_CLIENT</replaceable>, and, as soon as a

281

password is acquired from the

282

<replaceable>MANDOS_CLIENT</replaceable> program, sends that

283

password (as per the <ulink

284

url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"

285

>Password Agents</ulink> specification) to all currently

286

unanswered password questions.

287

</para>

288

<para>

289

This program should be started (normally as a systemd service,

290

which in turn is normally started by a <citerefentry

291

><refentrytitle>systemd.path</refentrytitle>

292

<manvolnum>5</manvolnum></citerefentry> file) as a reaction to

293

files named <quote><filename>ask.<replaceable>xxxx</replaceable

294

></filename></quote> appearing in the agent directory

295

<quote><filename

296

class="directory">/run/systemd/ask-password</filename></quote>

297

(or the directory specified by

298

<option>--agent-directory</option>).

299

</para>

300

</refsect1>

301

302

303

<title>EXIT STATUS</title>

304

<para>

305

Exit status of this program is zero if no errors were

306

encountered, and otherwise not.

307

</para>

308

</refsect1>

309

310

311

<title>ENVIRONMENT</title>

312

<para>

313

This program does not use any environment variables itself, it

314

only passes on its environment to

315

<replaceable>MANDOS_CLIENT</replaceable>. Also, the

316

<option>--helper-directory</option> option will affect the

317

environment variable <envar>MANDOSPLUGINHELPERDIR</envar> for

318

<replaceable>MANDOS_CLIENT</replaceable>.

319

</para>

320

</refsect1>

321

322

323

<title>FILES</title>

324

<para>

325

326

327

<term><filename class="directory"

328

>/run/systemd/ask-password</filename></term>

329

330

<para>

331

The default directory to watch for password questions as

332

per the <ulink

333

url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"

334

>Password Agents</ulink> specification; can be changed

335

by the <option>--agent-directory</option> option.

336

</para>

337

</listitem>

338

</varlistentry>

339

340

<term><filename class="directory"

341

>/lib/mandos/plugin-helpers</filename

342

></term>

343

344

<para>

345

The helper directory as supplied to

346

<replaceable>MANDOS_CLIENT</replaceable> via the

347

<envar>MANDOSPLUGINHELPERDIR</envar> environment

348

variable; can be changed by the

349

<option>--helper-directory</option> option.

350

</para>

351

</listitem>

352

</varlistentry>

353

</variablelist>

354

</para>

355

</refsect1>

356

357

358

359

<xi:include href="../bugs.xml"/>

360

</refsect1>

361

362

363

<title>EXAMPLE</title>

364

365

<para>

366

Normal invocation needs no options:

367

</para>

368

<para>

369

<userinput>&COMMANDNAME;</userinput>

370

</para>

371

</informalexample>

372

373

<para>

374

Run an alternative <replaceable>MANDOS_CLIENT</replaceable>

375

program::

376

</para>

377

<para>

378

<userinput>&COMMANDNAME; /usr/local/sbin/alternate</userinput>

379

</para>

380

</informalexample>

381

382

<para>

383

Use alternative locations for the helper directory and the

384

Mandos client, and add extra options suitable for running in

385

the normal file system:

386

</para>

387

<para>

388

389

390

<userinput>&COMMANDNAME; --helper-directory=/usr/lib/x86_64-linux-gnu/mandos/plugin-helpers -- /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem --tls-privkey=/etc/keys/mandos/tls-privkey.pem</userinput>

391

392

</para>

393

</informalexample>

394

395

<para>

396

Use the default location for

397

<citerefentry><refentrytitle>mandos-client</refentrytitle>

398

<manvolnum>8mandos</manvolnum></citerefentry>, but add many

399

options to it:

400

</para>

401

<para>

402

403

404

<userinput>&COMMANDNAME; -- /lib/mandos/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt --seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem --tls-privkey=/etc/mandos/keys/tls-privkey.pem</userinput>

405

406

</para>

407

</informalexample>

408

409

<para>

410

Only run the self-tests:

411

</para>

412

<para>

413

<userinput>&COMMANDNAME; --test</userinput>

414

</para>

415

</informalexample>

416

</refsect1>

417

418

<title>SECURITY</title>

419

<para>

420

This program will need to run as the root user in order to read

421

the agent directory and the <quote><filename

422

>ask.<replaceable>xxxx</replaceable></filename></quote> files

423

there, and will, when starting the Mandos client program,

424

require the ability to set the <quote>real</quote> user and

425

group ids to another user, by default user and group 65534,

426

which are assumed to be non-privileged. This is done in order

427

to match the expectations of <citerefentry><refentrytitle

428

>mandos-client</refentrytitle><manvolnum>8mandos</manvolnum

429

></citerefentry>, which assumes that its executable file is

430

owned by the root user and also has the set-user-ID bit set (see

431

<citerefentry><refentrytitle>execve</refentrytitle><manvolnum

432

>2</manvolnum></citerefentry>).

433

</para>

434

</refsect1>

435

436

437

438

<para>

439

<citerefentry><refentrytitle>intro</refentrytitle>

440

<manvolnum>8mandos</manvolnum></citerefentry>,

441

<citerefentry><refentrytitle>mandos-client</refentrytitle>

442

<manvolnum>8mandos</manvolnum></citerefentry>,

443

<citerefentry><refentrytitle>systemd</refentrytitle>

444

<manvolnum>1</manvolnum></citerefentry>,

445

</para>

446

447

448

<term>

449

<ulink

450

url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"

451

>Password Agents</ulink>

452

</term>

453

454

<para>

455

The specification for systemd <quote>Password

456

Agent</quote> programs, which

457

<command>&COMMANDNAME;</command> follows.

458

</para>

459

</listitem>

460

</varlistentry>

461

</variablelist>

462

</refsect1>

463

464

</refentry>

465

466

467

468

469

Older »