/mandos/trunk : revision 442

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2010-09-26 17:36:30 UTC
Revision ID: teddy@fukt.bsnet.se-20100926173630-zk7pe17fp2bv6zr7

* DBUS-API: Document new "LastApprovalRequest" client property.

* mandos (Client.last_approval_request): New attribute.
  (Client.need_approval): New method.
  (ClientDBus.need_approval): - '' -
  (ClientDBus.NeedApproval): Call self.need_approval().
  (ClientDBus.LastApprovalRequest_dbus_property): New D-Bus property.

* mandos-monitor: Show timeout counter during approval delay.
  (MandosClientWidget._update_timer_callback_lock): New.
  (MandosClientWidget.property_changed): Override to also call
                                         using_timer if
                                         ApprovalPending property is
                                         changed.
  (MandosClientWidget.using_timer): New method.
  (MandosClientWidget.checker_completed): Use "using_timer".
  (MandosClientWidget.need_approval): - '' -
  (MandosClientWidget.update): Show approval delay timer.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2010-09-25">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Sends encrypted passwords to authenticated Mandos clients

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

100

101

<command>&COMMANDNAME;</command>

102

<arg choice="plain">--version</arg>

102

<arg choice="plain"><option>--version</option></arg>

103

</cmdsynopsis>

104

105

<command>&COMMANDNAME;</command>

106

<arg choice="plain">--check</arg>

106

<arg choice="plain"><option>--check</option></arg>

107

</cmdsynopsis>

108

</refsynopsisdiv>

109

110

111

<title>DESCRIPTION</title>

112

<para>

121

Any authenticated client is then given the stored pre-encrypted

122

password for that specific client.

123

</para>

124

125

124

</refsect1>

126

125

127

126

128

127

<title>PURPOSE</title>

129

130

128

<para>

131

129

The purpose of this is to enable <emphasis>remote and unattended

132

130

rebooting</emphasis> of client host computer with an

133

131

<emphasis>encrypted root file system</emphasis>. See <xref

134

132

linkend="overview"/> for details.

135

133

</para>

136

137

134

</refsect1>

138

135

139

136

140

137

<title>OPTIONS</title>

141

142

138

143

139

144

140

141

145

142

146

143

<para>

147

144

Show a help message and exit

148

145

</para>

149

146

</listitem>

150

147

</varlistentry>

151

148

152

149

153

<term><literal>-i</literal>, <literal>--interface <replaceable

154

>NAME</replaceable></literal></term>

150

<term><option>--interface</option>

151

152

153

155

154

156

155

<xi:include href="mandos-options.xml" xpointer="interface"/>

157

156

</listitem>

158

157

</varlistentry>

159

158

160

159

161

<term><literal>-a</literal>, <literal>--address <replaceable>

162

ADDRESS</replaceable></literal></term>

160

<term><option>--address

161

<replaceable>ADDRESS</replaceable></option></term>

162

<term><option>-a

163

<replaceable>ADDRESS</replaceable></option></term>

163

164

164

165

<xi:include href="mandos-options.xml" xpointer="address"/>

165

166

</listitem>

166

167

</varlistentry>

167

168

169

169

170

PORT</replaceable></literal></term>

170

<term><option>--port

171

172

<term><option>-p

173

171

174

172

175

<xi:include href="mandos-options.xml" xpointer="port"/>

173

176

</listitem>

174

177

</varlistentry>

175

178

176

179

177

<term><literal>--check</literal></term>

180

<term><option>--check</option></term>

178

181

179

182

<para>

180

183

Run the server’s self-tests. This includes any unit

182

185

</para>

183

186

</listitem>

184

187

</varlistentry>

185

188

186

189

187

<term><literal>--debug</literal></term>

190

<term><option>--debug</option></term>

188

191

189

192

<xi:include href="mandos-options.xml" xpointer="debug"/>

190

193

</listitem>

191

194

</varlistentry>

192

195

193

196

194

<term><literal>--priority <replaceable>

195

PRIORITY</replaceable></literal></term>

197

<term><option>--priority <replaceable>

198

PRIORITY</replaceable></option></term>

196

199

197

200

<xi:include href="mandos-options.xml" xpointer="priority"/>

198

201

</listitem>

199

202

</varlistentry>

200

203

201

204

202

<term><literal>--servicename <replaceable>NAME</replaceable>

203

</literal></term>

205

<term><option>--servicename

206

204

207

205

208

<xi:include href="mandos-options.xml"

206

209

xpointer="servicename"/>

207

210

</listitem>

208

211

</varlistentry>

209

212

210

213

211

<term><literal>--configdir <replaceable>DIR</replaceable>

212

</literal></term>

214

<term><option>--configdir

215

<replaceable>DIRECTORY</replaceable></option></term>

213

216

214

217

<para>

215

218

Directory to search for configuration files. Default is

221

224

</para>

222

225

</listitem>

223

226

</varlistentry>

224

227

225

228

226

<term><literal>--version</literal></term>

229

<term><option>--version</option></term>

227

230

228

231

<para>

229

232

Prints the program version and exit.

230

233

</para>

231

234

</listitem>

232

235

</varlistentry>

236

237

238

239

240

<xi:include href="mandos-options.xml" xpointer="dbus"/>

241

<para>

242

See also <xref linkend="dbus_interface"/>.

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

249

250

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

251

</listitem>

252

</varlistentry>

233

253

</variablelist>

234

254

</refsect1>

235

255

236

256

237

257

<title>OVERVIEW</title>

238

258

<xi:include href="overview.xml"/>

239

259

<para>

240

260

This program is the server part. It is a normal server program

241

261

and will run in a normal system environment, not in an initial

242

RAM disk environment.

262

<acronym>RAM</acronym> disk environment.

243

263

</para>

244

264

</refsect1>

245

265

246

266

247

267

<title>NETWORK PROTOCOL</title>

248

268

<para>

300

320

</row>

301

321

</tbody></tgroup></table>

302

322

</refsect1>

303

323

304

324

305

325

<title>CHECKING</title>

306

326

<para>

307

327

The server will, by default, continually check that the clients

308

328

are still up. If a client has not been confirmed as being up

309

329

for some time, the client is assumed to be compromised and is no

310

longer eligible to receive the encrypted password. The timeout,

330

longer eligible to receive the encrypted password. (Manual

331

intervention is required to re-enable a client.) The timeout,

311

332

checker program, and interval between checks can be configured

312

333

both globally and per client; see <citerefentry>

313

334

<refentrytitle>mandos-clients.conf</refentrytitle>

314

<manvolnum>5</manvolnum></citerefentry>.

315

</para>

316

</refsect1>

317

335

<manvolnum>5</manvolnum></citerefentry>. A client successfully

336

receiving its password will also be treated as a successful

337

checker run.

338

</para>

339

</refsect1>

340

341

342

<title>APPROVAL</title>

343

<para>

344

The server can be configured to require manual approval for a

345

client before it is sent its secret. The delay to wait for such

346

approval and the default action (approve or deny) can be

347

configured both globally and per client; see <citerefentry>

348

<refentrytitle>mandos-clients.conf</refentrytitle>

349

<manvolnum>5</manvolnum></citerefentry>. By default all clients

350

will be approved immediately without delay.

351

</para>

352

<para>

353

This can be used to deny a client its secret if not manually

354

approved within a specified time. It can also be used to make

355

the server delay before giving a client its secret, allowing

356

optional manual denying of this specific client.

357

</para>

358

359

</refsect1>

360

318

361

319

362

<title>LOGGING</title>

320

363

<para>

324

367

and also show them on the console.

325

368

</para>

326

369

</refsect1>

327

370

371

372

<title>D-BUS INTERFACE</title>

373

<para>

374

The server will by default provide a D-Bus system bus interface.

375

This interface will only be accessible by the root user or a

376

Mandos-specific user, if such a user exists. For documentation

377

of the D-Bus API, see the file <filename>DBUS-API</filename>.

378

</para>

379

</refsect1>

380

328

381

329

382

<title>EXIT STATUS</title>

330

383

<para>

332

385

critical error is encountered.

333

386

</para>

334

387

</refsect1>

335

388

336

389

337

390

<title>ENVIRONMENT</title>

338

391

339

392

340

393

341

394

342

395

<para>

343

396

To start the configured checker (see <xref

352

405

</varlistentry>

353

406

</variablelist>

354

407

</refsect1>

355

356

408

409

357

410

<title>FILES</title>

358

411

<para>

359

412

Use the <option>--configdir</option> option to change where

382

435

</listitem>

383

436

</varlistentry>

384

437

385

<term><filename>/var/run/mandos/mandos.pid</filename></term>

438

<term><filename>/var/run/mandos.pid</filename></term>

386

439

387

440

<para>

388

The file containing the process id of

389

<command>&COMMANDNAME;</command>.

441

The file containing the process id of the

442

<command>&COMMANDNAME;</command> process started last.

390

443

</para>

391

444

</listitem>

392

445

</varlistentry>

420

473

backtrace. This could be considered a feature.

421

474

</para>

422

475

<para>

423

Currently, if a client is declared <quote>invalid</quote> due to

424

having timed out, the server does not record this fact onto

425

permanent storage. This has some security implications, see

426

<xref linkend="CLIENTS"/>.

427

</para>

428

<para>

429

There is currently no way of querying the server of the current

430

status of clients, other than analyzing its <systemitem

431

class="service">syslog</systemitem> output.

476

Currently, if a client is disabled due to having timed out, the

477

server does not record this fact onto permanent storage. This

478

has some security implications, see <xref linkend="clients"/>.

432

479

</para>

433

480

<para>

434

481

There is no fine-grained control over logging and debug output.

437

484

Debug mode is conflated with running in the foreground.

438

485

</para>

439

486

<para>

440

The console log messages does not show a timestamp.

487

The console log messages do not show a time stamp.

488

</para>

489

<para>

490

This server does not check the expire time of clients’ OpenPGP

491

keys.

441

492

</para>

442

493

</refsect1>

443

494

478

529

</para>

479

530

</informalexample>

480

531

</refsect1>

481

532

482

533

483

534

<title>SECURITY</title>

484

535

485

536

<title>SERVER</title>

486

537

<para>

487

538

Running this <command>&COMMANDNAME;</command> server program

488

539

should not in itself present any security risk to the host

489

computer running it. The program does not need any special

490

privileges to run, and is designed to run as a non-root user.

540

computer running it. The program switches to a non-root user

541

soon after startup.

491

542

</para>

492

543

</refsect2>

493

544

494

545

<title>CLIENTS</title>

495

546

<para>

496

547

The server only gives out its stored data to clients which

503

554

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

504

555

<manvolnum>5</manvolnum></citerefentry>)

505

556

<emphasis>must</emphasis> be made non-readable by anyone

506

except the user running the server.

557

except the user starting the server (usually root).

507

558

</para>

508

559

<para>

509

560

As detailed in <xref linkend="checking"/>, the status of all

512

563

</para>

513

564

<para>

514

565

If a client is compromised, its downtime should be duly noted

515

by the server which would therefore declare the client

516

invalid. But if the server was ever restarted, it would

517

re-read its client list from its configuration file and again

518

regard all clients therein as valid, and hence eligible to

519

receive their passwords. Therefore, be careful when

520

restarting servers if it is suspected that a client has, in

521

fact, been compromised by parties who may now be running a

522

fake Mandos client with the keys from the non-encrypted

523

initial RAM image of the client host. What should be done in

524

that case (if restarting the server program really is

525

necessary) is to stop the server program, edit the

526

configuration file to omit any suspect clients, and restart

527

the server program.

566

by the server which would therefore disable the client. But

567

if the server was ever restarted, it would re-read its client

568

list from its configuration file and again regard all clients

569

therein as enabled, and hence eligible to receive their

570

passwords. Therefore, be careful when restarting servers if

571

it is suspected that a client has, in fact, been compromised

572

by parties who may now be running a fake Mandos client with

573

the keys from the non-encrypted initial <acronym>RAM</acronym>

574

image of the client host. What should be done in that case

575

(if restarting the server program really is necessary) is to

576

stop the server program, edit the configuration file to omit

577

any suspect clients, and restart the server program.

528

578

</para>

529

579

<para>

530

580

For more details on client-side security, see

531

<citerefentry><refentrytitle>password-request</refentrytitle>

581

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

582

<manvolnum>8mandos</manvolnum></citerefentry>.

533

583

</para>

534

584

</refsect2>

535

585

</refsect1>

536

586

537

587

538

588

539

589

<para>

540

590

591

<refentrytitle>mandos-clients.conf</refentrytitle>

592

541

593

<refentrytitle>mandos.conf</refentrytitle>

542

594

543

<refentrytitle>mandos-clients.conf</refentrytitle>

544

545

<refentrytitle>password-request</refentrytitle>

595

<refentrytitle>mandos-client</refentrytitle>

546

596

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

547

597

548

598

</citerefentry>

651

701

</variablelist>

652

702

</refsect1>

653

703

</refentry>

704

705

706

707

708

Older »