/mandos/trunk : revision 174

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-09-06 17:24:58 UTC
Revision ID: teddy@fukt.bsnet.se-20080906172458-2x5wlfkn7oqckt1y

* legalnotice.xml: Copy DocBook 4.4-formatted text from
<http://www.gnu.org/licenses/gpl-3.0.dbk>.

files added:
etc-plugins.d-README

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2011-11-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-06">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

<sbr/>

100

<arg><option>--statedir

101

<replaceable>DIRECTORY</replaceable></option></arg>

102

</cmdsynopsis>

103

104

<command>&COMMANDNAME;</command>

116

100

<arg choice="plain"><option>--check</option></arg>

117

101

</cmdsynopsis>

118

102

</refsynopsisdiv>

119

103

120

104

121

105

<title>DESCRIPTION</title>

122

106

<para>

123

107

<command>&COMMANDNAME;</command> is a server daemon which

124

108

handles incoming request for passwords for a pre-defined list of

125

client host computers. For an introduction, see

126

<citerefentry><refentrytitle>intro</refentrytitle>

127

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

128

uses Zeroconf to announce itself on the local network, and uses

129

TLS to communicate securely with and to authenticate the

130

clients. The Mandos server uses IPv6 to allow Mandos clients to

131

use IPv6 link-local addresses, since the clients will probably

132

not have any other addresses configured (see <xref

133

linkend="overview"/>). Any authenticated client is then given

134

the stored pre-encrypted password for that specific client.

109

client host computers. The Mandos server uses Zeroconf to

110

announce itself on the local network, and uses TLS to

111

communicate securely with and to authenticate the clients. The

112

Mandos server uses IPv6 to allow Mandos clients to use IPv6

113

link-local addresses, since the clients will probably not have

114

any other addresses configured (see <xref linkend="overview"/>).

115

Any authenticated client is then given the stored pre-encrypted

116

password for that specific client.

135

117

</para>

136

118

</refsect1>

137

119

204

186

<xi:include href="mandos-options.xml" xpointer="debug"/>

205

187

</listitem>

206

188

</varlistentry>

207

208

209

<term><option>--debuglevel

210

<replaceable>LEVEL</replaceable></option></term>

211

212

<para>

213

Set the debugging log level.

214

<replaceable>LEVEL</replaceable> is a string, one of

215

<quote><literal>CRITICAL</literal></quote>,

216

<quote><literal>ERROR</literal></quote>,

217

<quote><literal>WARNING</literal></quote>,

218

<quote><literal>INFO</literal></quote>, or

219

<quote><literal>DEBUG</literal></quote>, in order of

220

increasing verbosity. The default level is

221

<quote><literal>WARNING</literal></quote>.

222

</para>

223

</listitem>

224

</varlistentry>

225

189

226

190

227

191

<term><option>--priority <replaceable>

228

192

PRIORITY</replaceable></option></term>

230

194

<xi:include href="mandos-options.xml" xpointer="priority"/>

231

195

</listitem>

232

196

</varlistentry>

233

197

234

198

235

199

<term><option>--servicename

236

200

239

203

xpointer="servicename"/>

240

204

</listitem>

241

205

</varlistentry>

242

206

243

207

244

208

<term><option>--configdir

245

209

<replaceable>DIRECTORY</replaceable></option></term>

254

218

</para>

255

219

</listitem>

256

220

</varlistentry>

257

221

258

222

259

223

<term><option>--version</option></term>

260

224

263

227

</para>

264

228

</listitem>

265

229

</varlistentry>

266

267

268

269

270

<xi:include href="mandos-options.xml" xpointer="dbus"/>

271

<para>

272

See also <xref linkend="dbus_interface"/>.

273

</para>

274

</listitem>

275

</varlistentry>

276

277

278

279

280

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--no-restore</option></term>

286

287

<xi:include href="mandos-options.xml" xpointer="restore"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--statedir

293

<replaceable>DIRECTORY</replaceable></option></term>

294

295

<xi:include href="mandos-options.xml" xpointer="statedir"/>

296

</listitem>

297

</varlistentry>

298

230

</variablelist>

299

231

</refsect1>

300

232

301

233

302

234

<title>OVERVIEW</title>

303

235

<xi:include href="overview.xml"/>

307

239

<acronym>RAM</acronym> disk environment.

308

240

</para>

309

241

</refsect1>

310

242

311

243

312

244

<title>NETWORK PROTOCOL</title>

313

245

<para>

365

297

</row>

366

298

</tbody></tgroup></table>

367

299

</refsect1>

368

300

369

301

370

302

<title>CHECKING</title>

371

303

<para>

372

304

The server will, by default, continually check that the clients

373

305

are still up. If a client has not been confirmed as being up

374

306

for some time, the client is assumed to be compromised and is no

375

longer eligible to receive the encrypted password. (Manual

376

intervention is required to re-enable a client.) The timeout,

377

extended timeout, checker program, and interval between checks

378

can be configured both globally and per client; see

379

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

380

<manvolnum>5</manvolnum></citerefentry>. A client successfully

381

receiving its password will also be treated as a successful

382

checker run.

383

</para>

384

</refsect1>

385

386

387

<title>APPROVAL</title>

388

<para>

389

The server can be configured to require manual approval for a

390

client before it is sent its secret. The delay to wait for such

391

approval and the default action (approve or deny) can be

392

configured both globally and per client; see <citerefentry>

307

longer eligible to receive the encrypted password. The timeout,

308

checker program, and interval between checks can be configured

309

both globally and per client; see <citerefentry>

393

310

<refentrytitle>mandos-clients.conf</refentrytitle>

394

<manvolnum>5</manvolnum></citerefentry>. By default all clients

395

will be approved immediately without delay.

396

</para>

397

<para>

398

This can be used to deny a client its secret if not manually

399

approved within a specified time. It can also be used to make

400

the server delay before giving a client its secret, allowing

401

optional manual denying of this specific client.

402

</para>

403

311

<manvolnum>5</manvolnum></citerefentry>.

312

</para>

404

313

</refsect1>

405

314

406

315

407

316

<title>LOGGING</title>

408

317

<para>

409

318

The server will send log message with various severity levels to

410

<filename class="devicefile">/dev/log</filename>. With the

319

<filename>/dev/log</filename>. With the

411

320

<option>--debug</option> option, it will log even more messages,

412

321

and also show them on the console.

413

322

</para>

414

323

</refsect1>

415

416

417

<title>D-BUS INTERFACE</title>

418

<para>

419

The server will by default provide a D-Bus system bus interface.

420

This interface will only be accessible by the root user or a

421

Mandos-specific user, if such a user exists. For documentation

422

of the D-Bus API, see the file <filename>DBUS-API</filename>.

423

</para>

424

</refsect1>

425

324

426

325

427

326

<title>EXIT STATUS</title>

428

327

<para>

430

329

critical error is encountered.

431

330

</para>

432

331

</refsect1>

433

332

434

333

435

334

<title>ENVIRONMENT</title>

436

335

450

349

</varlistentry>

451

350

</variablelist>

452

351

</refsect1>

453

454

352

353

455

354

<title>FILES</title>

456

355

<para>

457

356

Use the <option>--configdir</option> option to change where

483

382

<term><filename>/var/run/mandos.pid</filename></term>

484

383

485

384

<para>

486

The file containing the process id of the

487

<command>&COMMANDNAME;</command> process started last.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

493

</varlistentry>

494

495

<term><filename

496

class="directory">/var/lib/mandos</filename></term>

497

498

<para>

499

Directory where persistent state will be saved. Change

500

this with the <option>--statedir</option> option. See

501

also the <option>--no-restore</option> option.

385

The file containing the process id of

386

<command>&COMMANDNAME;</command>.

502

387

</para>

503

388

</listitem>

504

389

</varlistentry>

532

417

backtrace. This could be considered a feature.

533

418

</para>

534

419

<para>

420

Currently, if a client is declared <quote>invalid</quote> due to

421

having timed out, the server does not record this fact onto

422

permanent storage. This has some security implications, see

423

<xref linkend="CLIENTS"/>.

424

</para>

425

<para>

426

There is currently no way of querying the server of the current

427

status of clients, other than analyzing its <systemitem

428

class="service">syslog</systemitem> output.

429

</para>

430

<para>

535

431

There is no fine-grained control over logging and debug output.

536

432

</para>

537

433

<para>

538

434

Debug mode is conflated with running in the foreground.

539

435

</para>

540

436

<para>

437

The console log messages does not show a time stamp.

438

</para>

439

<para>

541

440

This server does not check the expire time of clients’ OpenPGP

542

441

keys.

543

442

</para>

556

455

557

456

<para>

558

457

Run the server in debug mode, read configuration files from

559

the <filename class="directory">~/mandos</filename> directory,

560

and use the Zeroconf service name <quote>Test</quote> to not

561

collide with any other official Mandos server on this host:

458

the <filename>~/mandos</filename> directory, and use the

459

Zeroconf service name <quote>Test</quote> to not collide with

460

any other official Mandos server on this host:

562

461

</para>

563

462

<para>

564

463

580

479

</para>

581

480

</informalexample>

582

481

</refsect1>

583

482

584

483

585

484

<title>SECURITY</title>

586

485

587

486

<title>SERVER</title>

588

487

<para>

589

488

Running this <command>&COMMANDNAME;</command> server program

592

491

soon after startup.

593

492

</para>

594

493

</refsect2>

595

494

596

495

<title>CLIENTS</title>

597

496

<para>

598

497

The server only gives out its stored data to clients which

605

504

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

606

505

<manvolnum>5</manvolnum></citerefentry>)

607

506

<emphasis>must</emphasis> be made non-readable by anyone

608

except the user starting the server (usually root).

507

except the user running the server.

609

508

</para>

610

509

<para>

611

510

As detailed in <xref linkend="checking"/>, the status of all

613

512

compromised if they are gone for too long.

614

513

</para>

615

514

<para>

515

If a client is compromised, its downtime should be duly noted

516

by the server which would therefore declare the client

517

invalid. But if the server was ever restarted, it would

518

re-read its client list from its configuration file and again

519

regard all clients therein as valid, and hence eligible to

520

receive their passwords. Therefore, be careful when

521

restarting servers if it is suspected that a client has, in

522

fact, been compromised by parties who may now be running a

523

fake Mandos client with the keys from the non-encrypted

524

initial <acronym>RAM</acronym> image of the client host. What

525

should be done in that case (if restarting the server program

526

really is necessary) is to stop the server program, edit the

527

configuration file to omit any suspect clients, and restart

528

the server program.

529

</para>

530

<para>

616

531

For more details on client-side security, see

617

532

<citerefentry><refentrytitle>mandos-client</refentrytitle>

618

533

<manvolnum>8mandos</manvolnum></citerefentry>.

619

534

</para>

620

535

</refsect2>

621

536

</refsect1>

622

537

623

538

624

539

625

540

<para>

626

<citerefentry><refentrytitle>intro</refentrytitle>

627

<manvolnum>8mandos</manvolnum></citerefentry>,

628

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

629

<manvolnum>5</manvolnum></citerefentry>,

630

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

631

<manvolnum>5</manvolnum></citerefentry>,

632

<citerefentry><refentrytitle>mandos-client</refentrytitle>

633

<manvolnum>8mandos</manvolnum></citerefentry>,

634

635

541

542

<refentrytitle>mandos-clients.conf</refentrytitle>

543

544

<refentrytitle>mandos.conf</refentrytitle>

545

546

<refentrytitle>mandos-client</refentrytitle>

547

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

548

549

</citerefentry>

636

550

</para>

637

551

638

552

Older »