1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY TIMESTAMP "2020-09-16">
5
<!ENTITY % common SYSTEM "common.ent">
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
<title>Mandos Manual</title>
12
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
<productname>Mandos</productname>
14
<productnumber>&version;</productnumber>
15
<date>&TIMESTAMP;</date>
18
<firstname>Björn</firstname>
19
<surname>Påhlsson</surname>
21
<email>belorn@recompile.se</email>
25
<firstname>Teddy</firstname>
26
<surname>Hogeborn</surname>
28
<email>teddy@recompile.se</email>
43
<holder>Teddy Hogeborn</holder>
44
<holder>Björn Påhlsson</holder>
46
<xi:include href="legalnotice.xml"/>
50
<refentrytitle>intro</refentrytitle>
51
<manvolnum>8mandos</manvolnum>
55
<refname>intro</refname>
57
Introduction to the Mandos system
61
<refsect1 id="description">
62
<title>DESCRIPTION</title>
64
This is the the Mandos system, which allows computers to have
65
encrypted root file systems and at the same time be capable of
66
remote and/or unattended reboots.
69
The computers run a small client program in the initial RAM disk
70
environment which will communicate with a server over a network.
71
All network communication is encrypted using TLS. The clients
72
are identified by the server using a TLS public key; each client
73
has one unique to it. The server sends the clients an encrypted
74
password. The encrypted password is decrypted by the clients
75
using a separate OpenPGP key, and the password is then used to
76
unlock the root file system, whereupon the computers can
77
continue booting normally.
81
<refsect1 id="introduction">
82
<title>INTRODUCTION</title>
84
<!-- This paragraph is a combination and paraphrase of two
85
quotes from the 1995 movie “The Usual Suspects”. -->
86
You know how it is. You’ve heard of it happening. The Man
87
comes and takes away your servers, your friends’ servers, the
88
servers of everybody in the same hosting facility. The servers
89
of their neighbors, and their neighbors’ friends. The servers
90
of people who owe them money. And like
91
<emphasis>that</emphasis>, they’re gone. And you doubt you’ll
95
That is why your servers have encrypted root file systems.
96
However, there’s a downside. There’s no going around it:
97
rebooting is a pain. Dragging out that rarely-used keyboard and
98
screen and unraveling cables behind your servers to plug them in
99
to type in that password is messy, especially if you have many
100
servers. There are some people who do clever things like using
101
serial line consoles and daisy-chain it to the next server, and
102
keep all the servers connected in a ring with serial cables,
103
which will work, if your servers are physically close enough.
104
There are also other out-of-band management solutions, but with
105
<emphasis>all</emphasis> these, you still have to be on hand and
106
manually type in the password at boot time. Otherwise the
107
server just sits there, waiting for a password.
110
Wouldn’t it be great if you could have the security of encrypted
111
root file systems and still have servers that could boot up
112
automatically if there was a short power outage while you were
113
asleep? That you could reboot at will, without having someone
114
run over to the server to type in the password?
117
Well, with Mandos, you (almost) can! The gain in convenience
118
will only be offset by a small loss in security. The setup is
122
The server will still have its encrypted root file system. The
123
password to this file system will be stored on another computer
124
(henceforth known as the Mandos server) on the same local
125
network. The password will <emphasis>not</emphasis> be stored
126
in plaintext, but encrypted with OpenPGP. To decrypt this
127
password, a key is needed. This key (the Mandos client key)
128
will not be stored there, but back on the original server
129
(henceforth known as the Mandos client) in the initial RAM disk
130
image. Oh, and all network Mandos client/server communications
131
will be encrypted, using TLS (SSL).
134
So, at boot time, the Mandos client will ask for its encrypted
135
data over the network, decrypt the data to get the password, use
136
the password to decrypt the root file system, and the client can
137
then continue booting.
140
Now, of course the initial RAM disk image is not on the
141
encrypted root file system, so anyone who had physical access
142
could take the Mandos client computer offline and read the disk
143
with their own tools to get the authentication keys used by a
144
client. <emphasis>But</emphasis>, by then the Mandos server
145
should notice that the original server has been offline for too
146
long, and will no longer give out the encrypted key. The timing
147
here is the only real weak point, and the method, frequency and
148
timeout of the server’s checking can be adjusted to any desired
152
(The encrypted keys on the Mandos server is on its normal file
153
system, so those are safe, provided the root file system of
154
<emphasis>that</emphasis> server is encrypted.)
159
<title>FREQUENTLY ASKED QUESTIONS</title>
161
Couldn’t the security be defeated by…
163
<refsect2 id="quick">
164
<title>Grabbing the Mandos client key from the
165
initrd <emphasis>really quickly</emphasis>?</title>
167
This, as mentioned above, is the only real weak point. But if
168
you set the timing values tight enough, this will be really
169
difficult to do. An attacker would have to physically
170
disassemble the client computer, extract the key from the
171
initial RAM disk image, and then connect to a <emphasis>still
172
online</emphasis> Mandos server to get the encrypted key, and do
173
all this <emphasis>before</emphasis> the Mandos server timeout
174
kicks in and the Mandos server refuses to give out the key to
178
Now, as the typical procedure seems to be to barge in and turn
179
off and grab <emphasis>all</emphasis> computers, to maybe look
180
at them months later, this is not likely. If someone does that,
181
the whole system <emphasis>will</emphasis> lock itself up
182
completely, since Mandos servers are no longer running.
185
For sophisticated attackers who <emphasis>could</emphasis> do
186
the clever thing, <emphasis>and</emphasis> had physical access
187
to the server for enough time, it would be simpler to get a key
188
for an encrypted file system by using hardware memory scanners
189
and reading it right off the memory bus.
193
<refsect2 id="replay">
194
<title>Replay attacks?</title>
196
Nope, the network stuff is all done over TLS, which provides
197
protection against that.
202
<title>Man-in-the-middle?</title>
204
No. The server only gives out the passwords to clients which
205
have <emphasis>in the TLS handshake</emphasis> proven that
206
they do indeed hold the private key corresponding to that
211
<refsect2 id="sniff">
212
<title>How about sniffing the network traffic and decrypting it
213
later by physically grabbing the Mandos client and using its
216
We only use <acronym>PFS</acronym> (Perfect Forward Security)
217
key exchange algorithms in TLS, which protects against this.
221
<refsect2 id="physgrab">
222
<title>Physically grabbing the Mandos server computer?</title>
224
You could protect <emphasis>that</emphasis> computer the
225
old-fashioned way, with a must-type-in-the-password-at-boot
226
method. Or you could have two computers be the Mandos server
230
Multiple Mandos servers can coexist on a network without any
231
trouble. They do not clash, and clients will try all
232
available servers. This means that if just one reboots then
233
the other can bring it back up, but if both reboot at the same
234
time they will stay down until someone types in the password
239
<refsect2 id="fakecheck">
240
<title>Faking checker results?</title>
242
If the Mandos client does not have an SSH server, the default
243
is for the Mandos server to use
244
<quote><literal>fping</literal></quote>, the replies to which
245
could be faked to eliminate the timeout. But this could
246
easily be changed to any shell command, with any security
247
measures you like. If the Mandos client
248
<emphasis>has</emphasis> an SSH server, the default
249
configuration (as generated by
250
<command>mandos-keygen</command> with the
251
<option>--password</option> option) is for the Mandos server
252
to use an <command>ssh-keyscan</command> command with strict
253
keychecking, which can not be faked. Alternatively, IPsec
254
could be used for the ping packets, making them secure.
259
<refsect1 id="security">
260
<title>SECURITY</title>
262
So, in summary: The only weakness in the Mandos system is from
268
The power to come in and physically take your servers,
269
<emphasis>and</emphasis>
274
The cunning and patience to do it carefully, one at a time,
275
and <emphasis>quickly</emphasis>, faking Mandos
276
client/server responses for each one before the timeout.
281
While there are some who may be threatened by people who have
282
<emphasis>both</emphasis> these attributes, they do not,
283
probably, constitute the majority.
286
If you <emphasis>do</emphasis> face such opponents, you must
287
figure that they could just as well open your servers and read
288
the file system keys right off the memory by running wires to
292
What Mandos is designed to protect against is
293
<emphasis>not</emphasis> such determined, focused, and competent
294
attacks, but against the early morning knock on your door and
295
the sudden absence of all the servers in your server room.
296
Which it does nicely.
300
<refsect1 id="plugins">
301
<title>PLUGINS</title>
303
In the early designs, the
304
<citerefentry><refentrytitle>mandos-client</refentrytitle
305
><manvolnum>8mandos</manvolnum></citerefentry> program (which
306
retrieves a password from the Mandos server) also prompted for a
307
password on the terminal, in case a Mandos server could not be
308
found. Other ways of retrieving a password could easily be
309
envisoned, but this multiplicity of purpose was seen to be too
310
complex to be a viable way to continue. Instead, the original
311
program was separated into <citerefentry><refentrytitle
312
>mandos-client</refentrytitle><manvolnum>8mandos</manvolnum
313
></citerefentry> and <citerefentry><refentrytitle
314
>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum
315
></citerefentry>, and a <citerefentry><refentrytitle
316
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum
317
></citerefentry> exist to run them both in parallel, allowing
318
the first successful plugin to provide the password. This
319
opened up for any number of additional plugins to run, all
320
competing to be the first to find a password and provide it to
324
Four additional plugins are provided:
329
<citerefentry><refentrytitle>plymouth</refentrytitle>
330
<manvolnum>8mandos</manvolnum></citerefentry>
334
This prompts for a password when using <citerefentry>
335
<refentrytitle>plymouth</refentrytitle><manvolnum
336
>8</manvolnum></citerefentry>.
342
<citerefentry><refentrytitle>usplash</refentrytitle>
343
<manvolnum>8mandos</manvolnum></citerefentry>
347
This prompts for a password when using <citerefentry>
348
<refentrytitle>usplash</refentrytitle><manvolnum
349
>8</manvolnum></citerefentry>.
355
<citerefentry><refentrytitle>splashy</refentrytitle>
356
<manvolnum>8mandos</manvolnum></citerefentry>
360
This prompts for a password when using <citerefentry>
361
<refentrytitle>splashy</refentrytitle><manvolnum
362
>8</manvolnum></citerefentry>.
368
<citerefentry><refentrytitle>askpass-fifo</refentrytitle>
369
<manvolnum>8mandos</manvolnum></citerefentry>
373
To provide compatibility with the "askpass" program from
374
cryptsetup, this plugin listens to the same FIFO as
381
More plugins can easily be written and added by the system
382
administrator; see the section called "WRITING PLUGINS" in
383
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
384
<manvolnum>8mandos</manvolnum></citerefentry> to learn the
389
<refsect1 id="systemd">
390
<title>SYSTEMD</title>
392
More advanced startup systems like <citerefentry><refentrytitle
393
>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
394
already have their own plugin-like mechanisms for allowing
395
multiple agents to independently retrieve a password and deliver
396
it to the subsystem requesting a password to unlock the root
397
file system. On these systems, it would make no sense to run
398
<citerefentry><refentrytitle>plugin-runner</refentrytitle
399
><manvolnum>8mandos</manvolnum></citerefentry>, the plugins of
400
which would largely duplicate the work of (and conflict with)
401
the existing systems prompting for passwords.
404
As for <citerefentry><refentrytitle>systemd</refentrytitle
405
><manvolnum>1</manvolnum></citerefentry> in particular, it has
407
url="https://systemd.io/PASSWORD_AGENTS/">Password
408
Agents</ulink> system. Mandos uses this via its
409
<citerefentry><refentrytitle>password-agent</refentrytitle
410
><manvolnum>8mandos</manvolnum></citerefentry> program, which is
411
run instead of <citerefentry><refentrytitle
412
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum
413
></citerefentry> when <citerefentry><refentrytitle
414
>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
415
is used during system startup.
420
<xi:include href="bugs.xml"/>
423
<refsect1 id="see_also">
424
<title>SEE ALSO</title>
426
<citerefentry><refentrytitle>mandos</refentrytitle>
427
<manvolnum>8</manvolnum></citerefentry>,
428
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
429
<manvolnum>5</manvolnum></citerefentry>,
430
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
431
<manvolnum>5</manvolnum></citerefentry>,
432
<citerefentry><refentrytitle>mandos-ctl</refentrytitle>
433
<manvolnum>8</manvolnum></citerefentry>,
434
<citerefentry><refentrytitle>mandos-monitor</refentrytitle>
435
<manvolnum>8</manvolnum></citerefentry>,
436
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
437
<manvolnum>8mandos</manvolnum></citerefentry>,
438
<citerefentry><refentrytitle>password-agent</refentrytitle>
439
<manvolnum>8mandos</manvolnum></citerefentry>,
440
<citerefentry><refentrytitle>mandos-client</refentrytitle>
441
<manvolnum>8mandos</manvolnum></citerefentry>,
442
<citerefentry><refentrytitle>password-prompt</refentrytitle>
443
<manvolnum>8mandos</manvolnum></citerefentry>,
444
<citerefentry><refentrytitle>plymouth</refentrytitle>
445
<manvolnum>8mandos</manvolnum></citerefentry>,
446
<citerefentry><refentrytitle>usplash</refentrytitle>
447
<manvolnum>8mandos</manvolnum></citerefentry>,
448
<citerefentry><refentrytitle>splashy</refentrytitle>
449
<manvolnum>8mandos</manvolnum></citerefentry>,
450
<citerefentry><refentrytitle>askpass-fifo</refentrytitle>
451
<manvolnum>8mandos</manvolnum></citerefentry>,
452
<citerefentry><refentrytitle>mandos-keygen</refentrytitle>
453
<manvolnum>8</manvolnum></citerefentry>
458
<ulink url="https://www.recompile.se/mandos">Mandos</ulink>
462
The Mandos home page.
469
<!-- Local Variables: -->
470
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
471
<!-- time-stamp-end: "[\"']>" -->
472
<!-- time-stamp-format: "%:y-%02m-%02d" -->