/mandos/trunk : revision 176

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2008-09-07 01:44:44 UTC
mfrom: (24.1.93 mandos)
Revision ID: teddy@fukt.bsnet.se-20080907014444-cf4ilzndc0tbn8va

Merge & resolve.

files added:
etc-plugins.d-README

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

mandos-ctl

mandos.lsm

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2009-02-09">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-06">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

</arg>

<sbr/>

<arg>

<option>--delay <replaceable>SECONDS</replaceable></option>

</arg>

<sbr/>

<arg>

100

<option>--debug</option>

101

</arg>

102

</cmdsynopsis>

119

113

</group>

120

114

</cmdsynopsis>

121

115

</refsynopsisdiv>

122

116

123

117

124

118

<title>DESCRIPTION</title>

125

119

<para>

126

120

<command>&COMMANDNAME;</command> is a client program that

127

121

communicates with <citerefentry><refentrytitle

128

122

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

129

to get a password. In slightly more detail, this client program

130

brings up a network interface, uses the interface’s IPv6

131

link-local address to get network connectivity, uses Zeroconf to

132

find servers on the local network, and communicates with servers

133

using TLS with an OpenPGP key to ensure authenticity and

134

confidentiality. This client program keeps running, trying all

135

servers on the network, until it receives a satisfactory reply

136

or a TERM signal is received. If no servers are found, or after

137

all servers have been tried, it waits indefinitely for new

138

servers to appear.

123

to get a password. It uses IPv6 link-local addresses to get

124

network connectivity, Zeroconf to find servers, and TLS with an

125

OpenPGP key to ensure authenticity and confidentiality. It

126

keeps running, trying all servers on the network, until it

127

receives a satisfactory reply or a TERM signal is received.

139

128

</para>

140

129

<para>

141

130

This program is not meant to be run directly; it is really meant

195

184

</varlistentry>

196

185

197

186

198

<term><option>--interface=<replaceable

199

>NAME</replaceable></option></term>

187

<term><option>--interface=

188

200

189

<term><option>-i

201

190

202

191

203

192

<para>

204

193

Network interface that will be brought up and scanned for

205

Mandos servers to connect to. The default is

194

Mandos servers to connect to. The default it

206

195

<quote><literal>eth0</literal></quote>.

207

196

</para>

208

197

<para>

210

199

specifies the interface to use to connect to the address

211

200

given.

212

201

</para>

213

<para>

214

Note that since this program will normally run in the

215

initial RAM disk environment, the interface must be an

216

interface which exists at that stage. Thus, the interface

217

can not be a pseudo-interface such as <quote>br0</quote>

218

or <quote>tun0</quote>; such interfaces will not exist

219

until much later in the boot process, and can not be used

220

by this program.

221

</para>

222

<para>

223

<replaceable>NAME</replaceable> can be the empty string;

224

this will not use any specific interface, and will not

225

bring up an interface on startup. This is not

226

recommended, and only meant for advanced users.

227

</para>

228

202

</listitem>

229

203

</varlistentry>

230

204

241

215

</para>

242

216

</listitem>

243

217

</varlistentry>

244

218

245

219

246

220

<term><option>--seckey=<replaceable

247

221

>FILE</replaceable></option></term>

264

238

xpointer="priority"/>

265

239

</listitem>

266

240

</varlistentry>

267

241

268

242

269

243

<term><option>--dh-bits=<replaceable

270

244

>BITS</replaceable></option></term>

275

249

</para>

276

250

</listitem>

277

251

</varlistentry>

278

279

280

<term><option>--delay=<replaceable

281

>SECONDS</replaceable></option></term>

282

283

<para>

284

After bringing the network interface up, the program waits

285

for the interface to arrive in a <quote>running</quote>

286

state before proceeding. During this time, the kernel log

287

level will be lowered to reduce clutter on the system

288

console, alleviating any other plugins which might be

289

using the system console. This option sets the upper

290

limit of seconds to wait. The default is 2.5 seconds.

291

</para>

292

</listitem>

293

</varlistentry>

294

252

295

253

296

254

<term><option>--debug</option></term>

326

284

</para>

327

285

</listitem>

328

286

</varlistentry>

329

287

330

288

331

289

<term><option>--version</option></term>

332

290

338

296

</varlistentry>

339

297

</variablelist>

340

298

</refsect1>

341

299

342

300

343

301

<title>OVERVIEW</title>

344

302

<xi:include href="../overview.xml"/>

385

343

</para>

386

344

</refsect1>

387

345

388

346

389

347

<title>FILES</title>

390

348

391

349

410

368

411

369

412

370

413

371

414

372

415

373

<title>EXAMPLE</title>

416

374

<para>

452

410

453

411

<para>

454

412

Run in debug mode, with a custom key, and do not use Zeroconf

455

to locate a server; connect directly to the IPv6 link-local

456

address <quote><systemitem class="ipaddress"

457

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

458

using interface eth2:

413

to locate a server; connect directly to the IPv6 address

414

<quote><systemitem class="ipaddress"

415

>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,

416

port 4711, using interface eth2:

459

417

</para>

460

418

<para>

461

419

462

420

463

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

421

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

464

422

465

423

</para>

466

424

</informalexample>

467

425

</refsect1>

468

426

469

427

470

428

<title>SECURITY</title>

471

429

<para>

491

449

The only remaining weak point is that someone with physical

492

450

access to the client hard drive might turn off the client

493

451

computer, read the OpenPGP keys directly from the hard drive,

494

and communicate with the server. To safeguard against this, the

495

server is supposed to notice the client disappearing and stop

496

giving out the encrypted data. Therefore, it is important to

497

set the timeout and checker interval values tightly on the

498

server. See <citerefentry><refentrytitle

452

and communicate with the server. The defense against this is

453

that the server is supposed to notice the client disappearing

454

and will stop giving out the encrypted data. Therefore, it is

455

important to set the timeout and checker interval values tightly

456

on the server. See <citerefentry><refentrytitle

499

457

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

500

458

</para>

501

459

<para>

512

470

confidential.

513

471

</para>

514

472

</refsect1>

515

473

516

474

517

475

518

476

<para>

643

601

</varlistentry>

644

602

</variablelist>

645

603

</refsect1>

604

646

605

</refentry>

647

648

606

649

607

650

608

Older »