To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 237.2.29
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.29
- Committer: Teddy Hogeborn
- Date: 2009-10-21 22:48:02 UTC
- mto: (24.1.170 mandos) (237.4.29 release)
- mto: This revision was merged to the branch mainline in revision 419.
- Revision ID: teddy@fukt.bsnet.se-20091021224802-v7nijr97tq3h7kep
* initramfs-tools-hook: Only copy needed file; avoid copying Mandos
server config files.
server config files.
- files removed:
- DBUS-API
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos">
5
<!ENTITY TIMESTAMP "2011-11-26">
5
<!ENTITY TIMESTAMP "2009-09-17">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
<firstname>Björn</firstname>
20
20
<surname>Påhlsson</surname>
21
21
<address>
22
<email>belorn@recompile.se</email>
22
<email>belorn@fukt.bsnet.se</email>
23
23
</address>
24
24
</author>
25
25
<author>
26
26
<firstname>Teddy</firstname>
27
27
<surname>Hogeborn</surname>
28
28
<address>
29
<email>teddy@recompile.se</email>
29
<email>teddy@fukt.bsnet.se</email>
30
30
</address>
31
31
</author>
32
32
</authorgroup>
33
33
<copyright>
34
34
<year>2008</year>
35
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
38
36
<holder>Teddy Hogeborn</holder>
39
37
<holder>Björn Påhlsson</holder>
40
38
</copyright>
88
86
<sbr/>
89
87
<arg><option>--debug</option></arg>
90
88
<sbr/>
91
<arg><option>--debuglevel
92
<replaceable>LEVEL</replaceable></option></arg>
93
<sbr/>
94
<arg><option>--no-dbus</option></arg>
95
<sbr/>
96
89
<arg><option>--no-ipv6</option></arg>
97
<sbr/>
98
<arg><option>--no-restore</option></arg>
99
<sbr/>
100
<arg><option>--statedir
101
<replaceable>DIRECTORY</replaceable></option></arg>
102
90
</cmdsynopsis>
103
91
<cmdsynopsis>
104
92
<command>&COMMANDNAME;</command>
122
110
<para>
123
111
<command>&COMMANDNAME;</command> is a server daemon which
124
112
handles incoming request for passwords for a pre-defined list of
125
client host computers. For an introduction, see
126
<citerefentry><refentrytitle>intro</refentrytitle>
127
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
128
uses Zeroconf to announce itself on the local network, and uses
129
TLS to communicate securely with and to authenticate the
130
clients. The Mandos server uses IPv6 to allow Mandos clients to
131
use IPv6 link-local addresses, since the clients will probably
132
not have any other addresses configured (see <xref
133
linkend="overview"/>). Any authenticated client is then given
134
the stored pre-encrypted password for that specific client.
113
client host computers. The Mandos server uses Zeroconf to
114
announce itself on the local network, and uses TLS to
115
communicate securely with and to authenticate the clients. The
116
Mandos server uses IPv6 to allow Mandos clients to use IPv6
117
link-local addresses, since the clients will probably not have
118
any other addresses configured (see <xref linkend="overview"/>).
119
Any authenticated client is then given the stored pre-encrypted
120
password for that specific client.
135
121
</para>
136
122
</refsect1>
137
123
206
192
</varlistentry>
207
193
208
194
<varlistentry>
209
<term><option>--debuglevel
210
<replaceable>LEVEL</replaceable></option></term>
211
<listitem>
212
<para>
213
Set the debugging log level.
214
<replaceable>LEVEL</replaceable> is a string, one of
215
<quote><literal>CRITICAL</literal></quote>,
216
<quote><literal>ERROR</literal></quote>,
217
<quote><literal>WARNING</literal></quote>,
218
<quote><literal>INFO</literal></quote>, or
219
<quote><literal>DEBUG</literal></quote>, in order of
220
increasing verbosity. The default level is
221
<quote><literal>WARNING</literal></quote>.
222
</para>
223
</listitem>
224
</varlistentry>
225
226
<varlistentry>
227
195
<term><option>--priority <replaceable>
228
196
PRIORITY</replaceable></option></term>
229
197
<listitem>
265
233
</varlistentry>
266
234
267
235
<varlistentry>
268
<term><option>--no-dbus</option></term>
269
<listitem>
270
<xi:include href="mandos-options.xml" xpointer="dbus"/>
271
<para>
272
See also <xref linkend="dbus_interface"/>.
273
</para>
274
</listitem>
275
</varlistentry>
276
277
<varlistentry>
278
236
<term><option>--no-ipv6</option></term>
279
237
<listitem>
280
238
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
281
239
</listitem>
282
240
</varlistentry>
283
284
<varlistentry>
285
<term><option>--no-restore</option></term>
286
<listitem>
287
<xi:include href="mandos-options.xml" xpointer="restore"/>
288
</listitem>
289
</varlistentry>
290
291
<varlistentry>
292
<term><option>--statedir
293
<replaceable>DIRECTORY</replaceable></option></term>
294
<listitem>
295
<xi:include href="mandos-options.xml" xpointer="statedir"/>
296
</listitem>
297
</varlistentry>
298
241
</variablelist>
299
242
</refsect1>
300
243
374
317
for some time, the client is assumed to be compromised and is no
375
318
longer eligible to receive the encrypted password. (Manual
376
319
intervention is required to re-enable a client.) The timeout,
377
extended timeout, checker program, and interval between checks
378
can be configured both globally and per client; see
379
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
320
checker program, and interval between checks can be configured
321
both globally and per client; see <citerefentry>
322
<refentrytitle>mandos-clients.conf</refentrytitle>
380
323
<manvolnum>5</manvolnum></citerefentry>. A client successfully
381
324
receiving its password will also be treated as a successful
382
325
checker run.
383
326
</para>
384
327
</refsect1>
385
328
386
<refsect1 id="approval">
387
<title>APPROVAL</title>
388
<para>
389
The server can be configured to require manual approval for a
390
client before it is sent its secret. The delay to wait for such
391
approval and the default action (approve or deny) can be
392
configured both globally and per client; see <citerefentry>
393
<refentrytitle>mandos-clients.conf</refentrytitle>
394
<manvolnum>5</manvolnum></citerefentry>. By default all clients
395
will be approved immediately without delay.
396
</para>
397
<para>
398
This can be used to deny a client its secret if not manually
399
approved within a specified time. It can also be used to make
400
the server delay before giving a client its secret, allowing
401
optional manual denying of this specific client.
402
</para>
403
404
</refsect1>
405
406
329
<refsect1 id="logging">
407
330
<title>LOGGING</title>
408
331
<para>
409
332
The server will send log message with various severity levels to
410
<filename class="devicefile">/dev/log</filename>. With the
333
<filename>/dev/log</filename>. With the
411
334
<option>--debug</option> option, it will log even more messages,
412
335
and also show them on the console.
413
336
</para>
414
337
</refsect1>
415
338
416
<refsect1 id="dbus_interface">
417
<title>D-BUS INTERFACE</title>
418
<para>
419
The server will by default provide a D-Bus system bus interface.
420
This interface will only be accessible by the root user or a
421
Mandos-specific user, if such a user exists. For documentation
422
of the D-Bus API, see the file <filename>DBUS-API</filename>.
423
</para>
424
</refsect1>
425
426
339
<refsect1 id="exit_status">
427
340
<title>EXIT STATUS</title>
428
341
<para>
483
396
<term><filename>/var/run/mandos.pid</filename></term>
484
397
<listitem>
485
398
<para>
486
The file containing the process id of the
487
<command>&COMMANDNAME;</command> process started last.
488
</para>
489
</listitem>
490
</varlistentry>
491
<varlistentry>
492
<term><filename class="devicefile">/dev/log</filename></term>
493
</varlistentry>
494
<varlistentry>
495
<term><filename
496
class="directory">/var/lib/mandos</filename></term>
497
<listitem>
498
<para>
499
Directory where persistent state will be saved. Change
500
this with the <option>--statedir</option> option. See
501
also the <option>--no-restore</option> option.
399
The file containing the process id of
400
<command>&COMMANDNAME;</command>.
502
401
</para>
503
402
</listitem>
504
403
</varlistentry>
532
431
backtrace. This could be considered a feature.
533
432
</para>
534
433
<para>
434
Currently, if a client is declared <quote>invalid</quote> due to
435
having timed out, the server does not record this fact onto
436
permanent storage. This has some security implications, see
437
<xref linkend="clients"/>.
438
</para>
439
<para>
440
There is currently no way of querying the server of the current
441
status of clients, other than analyzing its <systemitem
442
class="service">syslog</systemitem> output.
443
</para>
444
<para>
535
445
There is no fine-grained control over logging and debug output.
536
446
</para>
537
447
<para>
538
448
Debug mode is conflated with running in the foreground.
539
449
</para>
540
450
<para>
451
The console log messages do not show a time stamp.
452
</para>
453
<para>
541
454
This server does not check the expire time of clients’ OpenPGP
542
455
keys.
543
456
</para>
556
469
<informalexample>
557
470
<para>
558
471
Run the server in debug mode, read configuration files from
559
the <filename class="directory">~/mandos</filename> directory,
560
and use the Zeroconf service name <quote>Test</quote> to not
561
collide with any other official Mandos server on this host:
472
the <filename>~/mandos</filename> directory, and use the
473
Zeroconf service name <quote>Test</quote> to not collide with
474
any other official Mandos server on this host:
562
475
</para>
563
476
<para>
564
477
613
526
compromised if they are gone for too long.
614
527
</para>
615
528
<para>
529
If a client is compromised, its downtime should be duly noted
530
by the server which would therefore declare the client
531
invalid. But if the server was ever restarted, it would
532
re-read its client list from its configuration file and again
533
regard all clients therein as valid, and hence eligible to
534
receive their passwords. Therefore, be careful when
535
restarting servers if it is suspected that a client has, in
536
fact, been compromised by parties who may now be running a
537
fake Mandos client with the keys from the non-encrypted
538
initial <acronym>RAM</acronym> image of the client host. What
539
should be done in that case (if restarting the server program
540
really is necessary) is to stop the server program, edit the
541
configuration file to omit any suspect clients, and restart
542
the server program.
543
</para>
544
<para>
616
545
For more details on client-side security, see
617
546
<citerefentry><refentrytitle>mandos-client</refentrytitle>
618
547
<manvolnum>8mandos</manvolnum></citerefentry>.
623
552
<refsect1 id="see_also">
624
553
<title>SEE ALSO</title>
625
554
<para>
626
<citerefentry><refentrytitle>intro</refentrytitle>
627
<manvolnum>8mandos</manvolnum></citerefentry>,
628
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
629
<manvolnum>5</manvolnum></citerefentry>,
630
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
631
<manvolnum>5</manvolnum></citerefentry>,
632
<citerefentry><refentrytitle>mandos-client</refentrytitle>
633
<manvolnum>8mandos</manvolnum></citerefentry>,
634
<citerefentry><refentrytitle>sh</refentrytitle>
635
<manvolnum>1</manvolnum></citerefentry>
555
<citerefentry>
556
<refentrytitle>mandos-clients.conf</refentrytitle>
557
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
558
<refentrytitle>mandos.conf</refentrytitle>
559
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
560
<refentrytitle>mandos-client</refentrytitle>
561
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
562
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
563
</citerefentry>
636
564
</para>
637
565
<variablelist>
638
566
<varlistentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0