/mandos/trunk : revision 445

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2010-09-26 21:27:28 UTC
Revision ID: teddy@fukt.bsnet.se-20100926212728-ej205k5037nfhz2g

Update copyright year to "2010" wherever appropriate.

* plugin-runner.c: - '' -
* plugins.d/mandos-client.c: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-08-30">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

100

</group>

101

100

</cmdsynopsis>

102

101

103

102

<command>&COMMANDNAME;</command>

104

<arg choice="plain">--version</arg>

103

<arg choice="plain"><option>--version</option></arg>

105

104

</cmdsynopsis>

106

105

107

106

<command>&COMMANDNAME;</command>

108

<arg choice="plain">--check</arg>

107

<arg choice="plain"><option>--check</option></arg>

109

108

</cmdsynopsis>

110

109

</refsynopsisdiv>

111

110

112

111

113

112

<title>DESCRIPTION</title>

114

113

<para>

123

122

Any authenticated client is then given the stored pre-encrypted

124

123

password for that specific client.

125

124

</para>

126

127

125

</refsect1>

128

126

129

127

130

128

<title>PURPOSE</title>

131

132

129

<para>

133

130

The purpose of this is to enable <emphasis>remote and unattended

134

131

rebooting</emphasis> of client host computer with an

135

132

<emphasis>encrypted root file system</emphasis>. See <xref

136

133

linkend="overview"/> for details.

137

134

</para>

138

139

135

</refsect1>

140

136

141

137

142

138

<title>OPTIONS</title>

143

144

139

145

140

141

146

142

147

148

143

149

144

<para>

150

145

Show a help message and exit

151

146

</para>

152

147

</listitem>

153

148

</varlistentry>

154

149

155

150

151

<term><option>--interface</option>

152

156

153

157

154

158

<term><option>--interface</option>

159

160

155

161

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

162

157

</listitem>

163

158

</varlistentry>

164

159

165

160

166

<term><literal>-a</literal>, <literal>--address <replaceable>

167

ADDRESS</replaceable></literal></term>

161

<term><option>--address

162

<replaceable>ADDRESS</replaceable></option></term>

163

<term><option>-a

164

<replaceable>ADDRESS</replaceable></option></term>

168

165

169

166

<xi:include href="mandos-options.xml" xpointer="address"/>

170

167

</listitem>

171

168

</varlistentry>

172

169

173

170

174

175

PORT</replaceable></literal></term>

171

<term><option>--port

172

173

<term><option>-p

174

176

175

177

176

<xi:include href="mandos-options.xml" xpointer="port"/>

178

177

</listitem>

179

178

</varlistentry>

180

179

181

180

182

<term><literal>--check</literal></term>

181

<term><option>--check</option></term>

183

182

184

183

<para>

185

184

Run the server’s self-tests. This includes any unit

187

186

</para>

188

187

</listitem>

189

188

</varlistentry>

190

189

191

190

192

<term><literal>--debug</literal></term>

191

<term><option>--debug</option></term>

193

192

194

193

<xi:include href="mandos-options.xml" xpointer="debug"/>

195

194

</listitem>

196

195

</varlistentry>

197

196

198

197

199

<term><literal>--priority <replaceable>

200

PRIORITY</replaceable></literal></term>

198

<term><option>--priority <replaceable>

199

PRIORITY</replaceable></option></term>

201

200

202

201

<xi:include href="mandos-options.xml" xpointer="priority"/>

203

202

</listitem>

204

203

</varlistentry>

205

204

206

205

207

<term><literal>--servicename <replaceable>NAME</replaceable>

208

</literal></term>

206

<term><option>--servicename

207

209

208

210

209

<xi:include href="mandos-options.xml"

211

210

xpointer="servicename"/>

212

211

</listitem>

213

212

</varlistentry>

214

213

215

214

216

<term><literal>--configdir <replaceable>DIR</replaceable>

217

</literal></term>

215

<term><option>--configdir

216

<replaceable>DIRECTORY</replaceable></option></term>

218

217

219

218

<para>

220

219

Directory to search for configuration files. Default is

226

225

</para>

227

226

</listitem>

228

227

</varlistentry>

229

228

230

229

231

<term><literal>--version</literal></term>

230

<term><option>--version</option></term>

232

231

233

232

<para>

234

233

Prints the program version and exit.

235

234

</para>

236

235

</listitem>

237

236

</varlistentry>

237

238

239

240

241

<xi:include href="mandos-options.xml" xpointer="dbus"/>

242

<para>

243

See also <xref linkend="dbus_interface"/>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

250

251

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

252

</listitem>

253

</varlistentry>

238

254

</variablelist>

239

255

</refsect1>

240

256

241

257

242

258

<title>OVERVIEW</title>

243

259

<xi:include href="overview.xml"/>

244

260

<para>

245

261

This program is the server part. It is a normal server program

246

262

and will run in a normal system environment, not in an initial

247

RAM disk environment.

263

<acronym>RAM</acronym> disk environment.

248

264

</para>

249

265

</refsect1>

250

266

251

267

252

268

<title>NETWORK PROTOCOL</title>

253

269

<para>

305

321

</row>

306

322

</tbody></tgroup></table>

307

323

</refsect1>

308

324

309

325

310

326

<title>CHECKING</title>

311

327

<para>

312

328

The server will, by default, continually check that the clients

313

329

are still up. If a client has not been confirmed as being up

314

330

for some time, the client is assumed to be compromised and is no

315

longer eligible to receive the encrypted password. The timeout,

331

longer eligible to receive the encrypted password. (Manual

332

intervention is required to re-enable a client.) The timeout,

316

333

checker program, and interval between checks can be configured

317

334

both globally and per client; see <citerefentry>

318

335

<refentrytitle>mandos-clients.conf</refentrytitle>

319

<manvolnum>5</manvolnum></citerefentry>.

320

</para>

321

</refsect1>

322

336

<manvolnum>5</manvolnum></citerefentry>. A client successfully

337

receiving its password will also be treated as a successful

338

checker run.

339

</para>

340

</refsect1>

341

342

343

<title>APPROVAL</title>

344

<para>

345

The server can be configured to require manual approval for a

346

client before it is sent its secret. The delay to wait for such

347

approval and the default action (approve or deny) can be

348

configured both globally and per client; see <citerefentry>

349

<refentrytitle>mandos-clients.conf</refentrytitle>

350

<manvolnum>5</manvolnum></citerefentry>. By default all clients

351

will be approved immediately without delay.

352

</para>

353

<para>

354

This can be used to deny a client its secret if not manually

355

approved within a specified time. It can also be used to make

356

the server delay before giving a client its secret, allowing

357

optional manual denying of this specific client.

358

</para>

359

360

</refsect1>

361

323

362

324

363

<title>LOGGING</title>

325

364

<para>

329

368

and also show them on the console.

330

369

</para>

331

370

</refsect1>

332

371

372

373

<title>D-BUS INTERFACE</title>

374

<para>

375

The server will by default provide a D-Bus system bus interface.

376

This interface will only be accessible by the root user or a

377

Mandos-specific user, if such a user exists. For documentation

378

of the D-Bus API, see the file <filename>DBUS-API</filename>.

379

</para>

380

</refsect1>

381

333

382

334

383

<title>EXIT STATUS</title>

335

384

<para>

337

386

critical error is encountered.

338

387

</para>

339

388

</refsect1>

340

389

341

390

342

391

<title>ENVIRONMENT</title>

343

392

357

406

</varlistentry>

358

407

</variablelist>

359

408

</refsect1>

360

361

409

410

362

411

<title>FILES</title>

363

412

<para>

364

413

Use the <option>--configdir</option> option to change where

387

436

</listitem>

388

437

</varlistentry>

389

438

390

<term><filename>/var/run/mandos/mandos.pid</filename></term>

439

<term><filename>/var/run/mandos.pid</filename></term>

391

440

392

441

<para>

393

The file containing the process id of

394

<command>&COMMANDNAME;</command>.

442

The file containing the process id of the

443

<command>&COMMANDNAME;</command> process started last.

395

444

</para>

396

445

</listitem>

397

446

</varlistentry>

425

474

backtrace. This could be considered a feature.

426

475

</para>

427

476

<para>

428

Currently, if a client is declared <quote>invalid</quote> due to

429

having timed out, the server does not record this fact onto

430

permanent storage. This has some security implications, see

431

<xref linkend="CLIENTS"/>.

432

</para>

433

<para>

434

There is currently no way of querying the server of the current

435

status of clients, other than analyzing its <systemitem

436

class="service">syslog</systemitem> output.

477

Currently, if a client is disabled due to having timed out, the

478

server does not record this fact onto permanent storage. This

479

has some security implications, see <xref linkend="clients"/>.

437

480

</para>

438

481

<para>

439

482

There is no fine-grained control over logging and debug output.

442

485

Debug mode is conflated with running in the foreground.

443

486

</para>

444

487

<para>

445

The console log messages does not show a timestamp.

488

The console log messages do not show a time stamp.

489

</para>

490

<para>

491

This server does not check the expire time of clients’ OpenPGP

492

keys.

446

493

</para>

447

494

</refsect1>

448

495

483

530

</para>

484

531

</informalexample>

485

532

</refsect1>

486

533

487

534

488

535

<title>SECURITY</title>

489

536

490

537

<title>SERVER</title>

491

538

<para>

492

539

Running this <command>&COMMANDNAME;</command> server program

493

540

should not in itself present any security risk to the host

494

computer running it. The program does not need any special

495

privileges to run, and is designed to run as a non-root user.

541

computer running it. The program switches to a non-root user

542

soon after startup.

496

543

</para>

497

544

</refsect2>

498

545

499

546

<title>CLIENTS</title>

500

547

<para>

501

548

The server only gives out its stored data to clients which

508

555

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

509

556

<manvolnum>5</manvolnum></citerefentry>)

510

557

<emphasis>must</emphasis> be made non-readable by anyone

511

except the user running the server.

558

except the user starting the server (usually root).

512

559

</para>

513

560

<para>

514

561

As detailed in <xref linkend="checking"/>, the status of all

517

564

</para>

518

565

<para>

519

566

If a client is compromised, its downtime should be duly noted

520

by the server which would therefore declare the client

521

invalid. But if the server was ever restarted, it would

522

re-read its client list from its configuration file and again

523

regard all clients therein as valid, and hence eligible to

524

receive their passwords. Therefore, be careful when

525

restarting servers if it is suspected that a client has, in

526

fact, been compromised by parties who may now be running a

527

fake Mandos client with the keys from the non-encrypted

528

initial RAM image of the client host. What should be done in

529

that case (if restarting the server program really is

530

necessary) is to stop the server program, edit the

531

configuration file to omit any suspect clients, and restart

532

the server program.

567

by the server which would therefore disable the client. But

568

if the server was ever restarted, it would re-read its client

569

list from its configuration file and again regard all clients

570

therein as enabled, and hence eligible to receive their

571

passwords. Therefore, be careful when restarting servers if

572

it is suspected that a client has, in fact, been compromised

573

by parties who may now be running a fake Mandos client with

574

the keys from the non-encrypted initial <acronym>RAM</acronym>

575

image of the client host. What should be done in that case

576

(if restarting the server program really is necessary) is to

577

stop the server program, edit the configuration file to omit

578

any suspect clients, and restart the server program.

533

579

</para>

534

580

<para>

535

581

For more details on client-side security, see

536

<citerefentry><refentrytitle>password-request</refentrytitle>

582

<citerefentry><refentrytitle>mandos-client</refentrytitle>

537

583

<manvolnum>8mandos</manvolnum></citerefentry>.

538

584

</para>

539

585

</refsect2>

540

586

</refsect1>

541

587

542

588

543

589

544

590

<para>

547

593

548

594

<refentrytitle>mandos.conf</refentrytitle>

549

595

550

<refentrytitle>password-request</refentrytitle>

596

<refentrytitle>mandos-client</refentrytitle>

551

597

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

552

598

553

599

</citerefentry>

Older »