/mandos/trunk : revision 203

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2008-09-21 14:05:44 UTC
mfrom: (24.1.103 mandos)
Revision ID: teddy@fukt.bsnet.se-20080921140544-e9qo7alcl0bne2mn

Merge.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

plugin-runner.conf

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2008-09-12">

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for mandos

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

120

113

</group>

121

114

</cmdsynopsis>

122

115

</refsynopsisdiv>

123

116

124

117

125

118

<title>DESCRIPTION</title>

126

119

<para>

131

124

network connectivity, Zeroconf to find servers, and TLS with an

132

125

OpenPGP key to ensure authenticity and confidentiality. It

133

126

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply or a TERM signal is recieved.

127

receives a satisfactory reply or a TERM signal is received.

135

128

</para>

136

129

<para>

137

130

This program is not meant to be run directly; it is really meant

191

184

</varlistentry>

192

185

193

186

194

<term><option>--keydir=<replaceable

195

>DIRECTORY</replaceable></option></term>

196

<term><option>-d

197

<replaceable>DIRECTORY</replaceable></option></term>

198

199

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

205

</para>

206

</listitem>

207

</varlistentry>

208

209

210

187

<term><option>--interface=

211

188

212

189

<term><option>-i

232

209

233

210

234

211

<para>

235

OpenPGP public key file base name. This will be combined

236

with the directory from the <option>--keydir</option>

237

option to form an absolute file name. The default name is

238

<quote><literal>pubkey.txt</literal></quote>.

212

OpenPGP public key file name. The default name is

213

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

214

></quote>.

239

215

</para>

240

216

</listitem>

241

217

</varlistentry>

242

218

243

219

244

220

<term><option>--seckey=<replaceable

245

221

>FILE</replaceable></option></term>

247

223

248

224

249

225

<para>

250

OpenPGP secret key file base name. This will be combined

251

with the directory from the <option>--keydir</option>

252

option to form an absolute file name. The default name is

253

<quote><literal>seckey.txt</literal></quote>.

226

OpenPGP secret key file name. The default name is

227

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

228

></quote>.

254

229

</para>

255

230

</listitem>

256

231

</varlistentry>

263

238

xpointer="priority"/>

264

239

</listitem>

265

240

</varlistentry>

266

241

267

242

268

243

<term><option>--dh-bits=<replaceable

269

244

>BITS</replaceable></option></term>

309

284

</para>

310

285

</listitem>

311

286

</varlistentry>

312

287

313

288

314

289

<term><option>--version</option></term>

315

290

321

296

</varlistentry>

322

297

</variablelist>

323

298

</refsect1>

324

299

325

300

326

301

<title>OVERVIEW</title>

327

302

<xi:include href="../overview.xml"/>

336

311

<filename>/etc/crypttab</filename>, but it would then be

337

312

impossible to enter a password for the encrypted root disk at

338

313

the console, since this program does not read from the console

339

at all. This is why a separate plugin does that, which will be

340

run in parallell to this one by the plugin runner.

314

at all. This is why a separate plugin runner (<citerefentry>

315

<refentrytitle>plugin-runner</refentrytitle>

316

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

317

both this program and others in in parallel,

318

<emphasis>one</emphasis> of which will prompt for passwords on

319

the system console.

341

320

</para>

342

321

</refsect1>

343

322

350

329

program will exit with a non-zero exit status only if a critical

351

330

error occurs. Otherwise, it will forever connect to new

352

331

<application>Mandos</application> servers as they appear, trying

353

to get a decryptable password.

332

to get a decryptable password and print it.

354

333

</para>

355

334

</refsect1>

356

335

389

368

390

369

391

370

392

371

393

372

394

373

<title>EXAMPLE</title>

395

374

<para>

409

388

</informalexample>

410

389

411

390

<para>

412

Search for Mandos servers on another interface:

391

Search for Mandos servers (and connect to them) using another

392

interface:

413

393

</para>

414

394

<para>

415

395

418

398

</informalexample>

419

399

420

400

<para>

421

Run in debug mode, and use a custom key directory:

401

Run in debug mode, and use a custom key:

422

402

</para>

423

403

<para>

424

425

<userinput>&COMMANDNAME; --debug --keydir keydir</userinput>

404

405

406

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

407

426

408

</para>

427

409

</informalexample>

428

410

429

411

<para>

430

Run in debug mode, with a custom key directory, and do not use

431

Zeroconf to locate a server; connect directly to the IPv6

432

address <quote><systemitem class="ipaddress"

412

Run in debug mode, with a custom key, and do not use Zeroconf

413

to locate a server; connect directly to the IPv6 address

414

<quote><systemitem class="ipaddress"

433

415

>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,

434

416

port 4711, using interface eth2:

435

417

</para>

436

418

<para>

437

419

438

420

439

<userinput>&COMMANDNAME; --debug --keydir keydir --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

421

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

440

422

441

423

</para>

442

424

</informalexample>

443

425

</refsect1>

444

426

445

427

446

428

<title>SECURITY</title>

447

429

<para>

448

430

This program is set-uid to root, but will switch back to the

449

original user and group after bringing up the network interface.

431

original (and presumably non-privileged) user and group after

432

bringing up the network interface.

450

433

</para>

451

434

<para>

452

435

To use this program for its intended purpose (see <xref

474

457

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

475

458

</para>

476

459

<para>

477

<emphasis>Note</emphasis>: This makes it impossible to have

478

<application >Mandos</application> clients which dual-boot to

479

another operating system which does <emphasis>not</emphasis> run

480

a <application>Mandos</application> client.

460

It will also help if the checker program on the server is

461

configured to request something from the client which can not be

462

spoofed by someone else on the network, unlike unencrypted

463

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

464

</para>

465

<para>

466

<emphasis>Note</emphasis>: This makes it completely insecure to

467

have <application >Mandos</application> clients which dual-boot

468

to another operating system which is <emphasis>not</emphasis>

469

trusted to keep the initial <acronym>RAM</acronym> disk image

470

confidential.

481

471

</para>

482

472

</refsect1>

483

473

484

474

485

475

486

476

<para>

477

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

478

<manvolnum>8</manvolnum></citerefentry>,

479

<citerefentry><refentrytitle>crypttab</refentrytitle>

480

<manvolnum>5</manvolnum></citerefentry>,

487

481

<citerefentry><refentrytitle>mandos</refentrytitle>

488

482

<manvolnum>8</manvolnum></citerefentry>,

489

483

<citerefentry><refentrytitle>password-prompt</refentrytitle>

491

485

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

492

486

<manvolnum>8mandos</manvolnum></citerefentry>

493

487

</para>

494

495

496

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

497

</para></listitem>

498

499

500

<ulink url="http://www.avahi.org/">Avahi</ulink>

501

</para></listitem>

502

503

504

<ulink

505

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

506

</para></listitem>

507

508

509

<ulink

510

url="http://www.gnupg.org/related_software/gpgme/"

511

>GPGME</ulink>

512

</para></listitem>

513

514

515

<citation>RFC 4880: <citetitle>OpenPGP Message

516

Format</citetitle></citation>

517

</para></listitem>

518

519

520

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

521

Transport Layer Security</citetitle></citation>

522

</para></listitem>

523

524

525

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

526

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

527

Unicast Addresses</citation>

528

</para></listitem>

529

</itemizedlist>

488

489

490

<term>

491

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

492

</term>

493

494

<para>

495

Zeroconf is the network protocol standard used for finding

496

Mandos servers on the local network.

497

</para>

498

</listitem>

499

</varlistentry>

500

501

<term>

502

<ulink url="http://www.avahi.org/">Avahi</ulink>

503

</term>

504

505

<para>

506

Avahi is the library this program calls to find Zeroconf

507

services.

508

</para>

509

</listitem>

510

</varlistentry>

511

512

<term>

513

<ulink url="http://www.gnu.org/software/gnutls/"

514

>GnuTLS</ulink>

515

</term>

516

517

<para>

518

GnuTLS is the library this client uses to implement TLS for

519

communicating securely with the server, and at the same time

520

send the public OpenPGP key to the server.

521

</para>

522

</listitem>

523

</varlistentry>

524

525

<term>

526

<ulink url="http://www.gnupg.org/related_software/gpgme/"

527

>GPGME</ulink>

528

</term>

529

530

<para>

531

GPGME is the library used to decrypt the OpenPGP data sent

532

by the server.

533

</para>

534

</listitem>

535

</varlistentry>

536

537

<term>

538

RFC 4291: <citetitle>IP Version 6 Addressing

539

Architecture</citetitle>

540

</term>

541

542

543

544

<term>Section 2.2: <citetitle>Text Representation of

545

Addresses</citetitle></term>

546

547

</varlistentry>

548

549

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

550

Address</citetitle></term>

551

552

</varlistentry>

553

554

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

555

Addresses</citetitle></term>

556

557

<para>

558

This client uses IPv6 link-local addresses, which are

559

immediately usable since a link-local addresses is

560

automatically assigned to a network interfaces when it

561

is brought up.

562

</para>

563

</listitem>

564

</varlistentry>

565

</variablelist>

566

</listitem>

567

</varlistentry>

568

569

<term>

570

RFC 4346: <citetitle>The Transport Layer Security (TLS)

571

Protocol Version 1.1</citetitle>

572

</term>

573

574

<para>

575

TLS 1.1 is the protocol implemented by GnuTLS.

576

</para>

577

</listitem>

578

</varlistentry>

579

580

<term>

581

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

582

</term>

583

584

<para>

585

The data received from the server is binary encrypted

586

OpenPGP data.

587

</para>

588

</listitem>

589

</varlistentry>

590

591

<term>

592

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

593

Security</citetitle>

594

</term>

595

596

<para>

597

This is implemented by GnuTLS and used by this program so

598

that OpenPGP keys can be used.

599

</para>

600

</listitem>

601

</varlistentry>

602

</variablelist>

530

603

</refsect1>

531

532

604

</refentry>

605

533

606

534

607

535

608

Older »