To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 463.1.7
- compare with another revision
- download diff
- download tarball
- view history from revision 463.1.7
- Committer: teddy at bsnet
- Date: 2011-02-15 18:37:39 UTC
- mto: This revision was merged to the branch mainline in revision 465.
- Revision ID: teddy@fukt.bsnet.se-20110215183739-qeoi1kjthc1ob2ca
* mandos-ctl: Use only unicode string literals.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files removed:
- plugins.d/usplash
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- .bzrignore
added
removed
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos">
6
<!ENTITY TIMESTAMP "2008-08-29">
5
<!ENTITY TIMESTAMP "2010-09-26">
6
<!ENTITY % common SYSTEM "common.ent">
7
%common;
7
8
]>
8
9
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
10
<refentryinfo>
11
<title>&COMMANDNAME;</title>
11
<refentryinfo>
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
<productname>&COMMANDNAME;</productname>
14
<productnumber>&VERSION;</productnumber>
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
16
17
<authorgroup>
17
18
<author>
31
32
</authorgroup>
32
33
<copyright>
33
34
<year>2008</year>
35
<year>2009</year>
36
<year>2010</year>
34
37
<holder>Teddy Hogeborn</holder>
35
38
<holder>Björn Påhlsson</holder>
36
39
</copyright>
37
<legalnotice>
38
<para>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
43
later version.
44
</para>
45
46
<para>
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
51
for more details.
52
</para>
53
54
<para>
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
58
</para>
59
</legalnotice>
40
<xi:include href="legalnotice.xml"/>
60
41
</refentryinfo>
61
42
62
43
<refmeta>
63
44
<refentrytitle>&COMMANDNAME;</refentrytitle>
64
45
<manvolnum>8</manvolnum>
67
48
<refnamediv>
68
49
<refname><command>&COMMANDNAME;</command></refname>
69
50
<refpurpose>
70
Sends encrypted passwords to authenticated Mandos clients
51
Gives encrypted passwords to authenticated Mandos clients
71
52
</refpurpose>
72
53
</refnamediv>
73
54
74
55
<refsynopsisdiv>
75
56
<cmdsynopsis>
76
57
<command>&COMMANDNAME;</command>
77
<arg>--interface<arg choice="plain">NAME</arg></arg>
78
<arg>--address<arg choice="plain">ADDRESS</arg></arg>
79
<arg>--port<arg choice="plain">PORT</arg></arg>
80
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
81
<arg>--servicename<arg choice="plain">NAME</arg></arg>
82
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
83
<arg>--debug</arg>
84
</cmdsynopsis>
85
<cmdsynopsis>
86
<command>&COMMANDNAME;</command>
87
<arg>-i<arg choice="plain">NAME</arg></arg>
88
<arg>-a<arg choice="plain">ADDRESS</arg></arg>
89
<arg>-p<arg choice="plain">PORT</arg></arg>
90
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
91
<arg>--servicename<arg choice="plain">NAME</arg></arg>
92
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
93
<arg>--debug</arg>
58
<group>
59
<arg choice="plain"><option>--interface
60
<replaceable>NAME</replaceable></option></arg>
61
<arg choice="plain"><option>-i
62
<replaceable>NAME</replaceable></option></arg>
63
</group>
64
<sbr/>
65
<group>
66
<arg choice="plain"><option>--address
67
<replaceable>ADDRESS</replaceable></option></arg>
68
<arg choice="plain"><option>-a
69
<replaceable>ADDRESS</replaceable></option></arg>
70
</group>
71
<sbr/>
72
<group>
73
<arg choice="plain"><option>--port
74
<replaceable>PORT</replaceable></option></arg>
75
<arg choice="plain"><option>-p
76
<replaceable>PORT</replaceable></option></arg>
77
</group>
78
<sbr/>
79
<arg><option>--priority
80
<replaceable>PRIORITY</replaceable></option></arg>
81
<sbr/>
82
<arg><option>--servicename
83
<replaceable>NAME</replaceable></option></arg>
84
<sbr/>
85
<arg><option>--configdir
86
<replaceable>DIRECTORY</replaceable></option></arg>
87
<sbr/>
88
<arg><option>--debug</option></arg>
89
<sbr/>
90
<arg><option>--debuglevel
91
<replaceable>LEVEL</replaceable></option></arg>
92
<sbr/>
93
<arg><option>--no-dbus</option></arg>
94
<sbr/>
95
<arg><option>--no-ipv6</option></arg>
94
96
</cmdsynopsis>
95
97
<cmdsynopsis>
96
98
<command>&COMMANDNAME;</command>
97
99
<group choice="req">
98
<arg choice="plain">-h</arg>
99
<arg choice="plain">--help</arg>
100
<arg choice="plain"><option>--help</option></arg>
101
<arg choice="plain"><option>-h</option></arg>
100
102
</group>
101
103
</cmdsynopsis>
102
104
<cmdsynopsis>
103
105
<command>&COMMANDNAME;</command>
104
<arg choice="plain">--version</arg>
106
<arg choice="plain"><option>--version</option></arg>
105
107
</cmdsynopsis>
106
108
<cmdsynopsis>
107
109
<command>&COMMANDNAME;</command>
108
<arg choice="plain">--check</arg>
110
<arg choice="plain"><option>--check</option></arg>
109
111
</cmdsynopsis>
110
112
</refsynopsisdiv>
111
113
112
114
<refsect1 id="description">
113
115
<title>DESCRIPTION</title>
114
116
<para>
123
125
Any authenticated client is then given the stored pre-encrypted
124
126
password for that specific client.
125
127
</para>
126
127
128
</refsect1>
128
129
129
130
<refsect1 id="purpose">
130
131
<title>PURPOSE</title>
131
132
132
<para>
133
133
The purpose of this is to enable <emphasis>remote and unattended
134
134
rebooting</emphasis> of client host computer with an
135
135
<emphasis>encrypted root file system</emphasis>. See <xref
136
136
linkend="overview"/> for details.
137
137
</para>
138
139
138
</refsect1>
140
139
141
140
<refsect1 id="options">
142
141
<title>OPTIONS</title>
143
144
142
<variablelist>
145
143
<varlistentry>
146
<term><literal>-h</literal>, <literal>--help</literal></term>
144
<term><option>--help</option></term>
145
<term><option>-h</option></term>
147
146
<listitem>
148
147
<para>
149
148
Show a help message and exit
150
149
</para>
151
150
</listitem>
152
151
</varlistentry>
153
152
154
153
<varlistentry>
155
<term><literal>-i</literal>, <literal>--interface <replaceable
156
>NAME</replaceable></literal></term>
154
<term><option>--interface</option>
155
<replaceable>NAME</replaceable></term>
156
<term><option>-i</option>
157
<replaceable>NAME</replaceable></term>
157
158
<listitem>
158
159
<xi:include href="mandos-options.xml" xpointer="interface"/>
159
160
</listitem>
160
161
</varlistentry>
161
162
162
163
<varlistentry>
163
<term><literal>-a</literal>, <literal>--address <replaceable>
164
ADDRESS</replaceable></literal></term>
164
<term><option>--address
165
<replaceable>ADDRESS</replaceable></option></term>
166
<term><option>-a
167
<replaceable>ADDRESS</replaceable></option></term>
165
168
<listitem>
166
169
<xi:include href="mandos-options.xml" xpointer="address"/>
167
170
</listitem>
168
171
</varlistentry>
169
172
170
173
<varlistentry>
171
<term><literal>-p</literal>, <literal>--port <replaceable>
172
PORT</replaceable></literal></term>
174
<term><option>--port
175
<replaceable>PORT</replaceable></option></term>
176
<term><option>-p
177
<replaceable>PORT</replaceable></option></term>
173
178
<listitem>
174
179
<xi:include href="mandos-options.xml" xpointer="port"/>
175
180
</listitem>
176
181
</varlistentry>
177
182
178
183
<varlistentry>
179
<term><literal>--check</literal></term>
184
<term><option>--check</option></term>
180
185
<listitem>
181
186
<para>
182
187
Run the server’s self-tests. This includes any unit
184
189
</para>
185
190
</listitem>
186
191
</varlistentry>
187
192
188
193
<varlistentry>
189
<term><literal>--debug</literal></term>
194
<term><option>--debug</option></term>
190
195
<listitem>
191
196
<xi:include href="mandos-options.xml" xpointer="debug"/>
192
197
</listitem>
193
198
</varlistentry>
194
195
<varlistentry>
196
<term><literal>--priority <replaceable>
197
PRIORITY</replaceable></literal></term>
199
200
<varlistentry>
201
<term><option>--debuglevel
202
<replaceable>LEVEL</replaceable></option></term>
203
<listitem>
204
<para>
205
Set the debugging log level.
206
<replaceable>LEVEL</replaceable> is a string, one of
207
<quote><literal>CRITICAL</literal></quote>,
208
<quote><literal>ERROR</literal></quote>,
209
<quote><literal>WARNING</literal></quote>,
210
<quote><literal>INFO</literal></quote>, or
211
<quote><literal>DEBUG</literal></quote>, in order of
212
increasing verbosity. The default level is
213
<quote><literal>WARNING</literal></quote>.
214
</para>
215
</listitem>
216
</varlistentry>
217
218
<varlistentry>
219
<term><option>--priority <replaceable>
220
PRIORITY</replaceable></option></term>
198
221
<listitem>
199
222
<xi:include href="mandos-options.xml" xpointer="priority"/>
200
223
</listitem>
201
224
</varlistentry>
202
225
203
226
<varlistentry>
204
<term><literal>--servicename <replaceable>NAME</replaceable>
205
</literal></term>
227
<term><option>--servicename
228
<replaceable>NAME</replaceable></option></term>
206
229
<listitem>
207
230
<xi:include href="mandos-options.xml"
208
231
xpointer="servicename"/>
209
232
</listitem>
210
233
</varlistentry>
211
234
212
235
<varlistentry>
213
<term><literal>--configdir <replaceable>DIR</replaceable>
214
</literal></term>
236
<term><option>--configdir
237
<replaceable>DIRECTORY</replaceable></option></term>
215
238
<listitem>
216
239
<para>
217
240
Directory to search for configuration files. Default is
223
246
</para>
224
247
</listitem>
225
248
</varlistentry>
226
249
227
250
<varlistentry>
228
<term><literal>--version</literal></term>
251
<term><option>--version</option></term>
229
252
<listitem>
230
253
<para>
231
254
Prints the program version and exit.
232
255
</para>
233
256
</listitem>
234
257
</varlistentry>
258
259
<varlistentry>
260
<term><option>--no-dbus</option></term>
261
<listitem>
262
<xi:include href="mandos-options.xml" xpointer="dbus"/>
263
<para>
264
See also <xref linkend="dbus_interface"/>.
265
</para>
266
</listitem>
267
</varlistentry>
268
269
<varlistentry>
270
<term><option>--no-ipv6</option></term>
271
<listitem>
272
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
273
</listitem>
274
</varlistentry>
235
275
</variablelist>
236
276
</refsect1>
237
277
238
278
<refsect1 id="overview">
239
279
<title>OVERVIEW</title>
240
280
<xi:include href="overview.xml"/>
241
281
<para>
242
282
This program is the server part. It is a normal server program
243
283
and will run in a normal system environment, not in an initial
244
RAM disk environment.
284
<acronym>RAM</acronym> disk environment.
245
285
</para>
246
286
</refsect1>
247
287
248
288
<refsect1 id="protocol">
249
289
<title>NETWORK PROTOCOL</title>
250
290
<para>
302
342
</row>
303
343
</tbody></tgroup></table>
304
344
</refsect1>
305
345
306
346
<refsect1 id="checking">
307
347
<title>CHECKING</title>
308
348
<para>
309
349
The server will, by default, continually check that the clients
310
350
are still up. If a client has not been confirmed as being up
311
351
for some time, the client is assumed to be compromised and is no
312
longer eligible to receive the encrypted password. The timeout,
352
longer eligible to receive the encrypted password. (Manual
353
intervention is required to re-enable a client.) The timeout,
313
354
checker program, and interval between checks can be configured
314
355
both globally and per client; see <citerefentry>
315
356
<refentrytitle>mandos-clients.conf</refentrytitle>
316
<manvolnum>5</manvolnum></citerefentry>.
317
</para>
318
</refsect1>
319
357
<manvolnum>5</manvolnum></citerefentry>. A client successfully
358
receiving its password will also be treated as a successful
359
checker run.
360
</para>
361
</refsect1>
362
363
<refsect1 id="approval">
364
<title>APPROVAL</title>
365
<para>
366
The server can be configured to require manual approval for a
367
client before it is sent its secret. The delay to wait for such
368
approval and the default action (approve or deny) can be
369
configured both globally and per client; see <citerefentry>
370
<refentrytitle>mandos-clients.conf</refentrytitle>
371
<manvolnum>5</manvolnum></citerefentry>. By default all clients
372
will be approved immediately without delay.
373
</para>
374
<para>
375
This can be used to deny a client its secret if not manually
376
approved within a specified time. It can also be used to make
377
the server delay before giving a client its secret, allowing
378
optional manual denying of this specific client.
379
</para>
380
381
</refsect1>
382
320
383
<refsect1 id="logging">
321
384
<title>LOGGING</title>
322
385
<para>
326
389
and also show them on the console.
327
390
</para>
328
391
</refsect1>
329
392
393
<refsect1 id="dbus_interface">
394
<title>D-BUS INTERFACE</title>
395
<para>
396
The server will by default provide a D-Bus system bus interface.
397
This interface will only be accessible by the root user or a
398
Mandos-specific user, if such a user exists. For documentation
399
of the D-Bus API, see the file <filename>DBUS-API</filename>.
400
</para>
401
</refsect1>
402
330
403
<refsect1 id="exit_status">
331
404
<title>EXIT STATUS</title>
332
405
<para>
334
407
critical error is encountered.
335
408
</para>
336
409
</refsect1>
337
410
338
411
<refsect1 id="environment">
339
412
<title>ENVIRONMENT</title>
340
413
<variablelist>
341
414
<varlistentry>
342
<term><varname>PATH</varname></term>
415
<term><envar>PATH</envar></term>
343
416
<listitem>
344
417
<para>
345
418
To start the configured checker (see <xref
354
427
</varlistentry>
355
428
</variablelist>
356
429
</refsect1>
357
358
<refsect1 id="file">
430
431
<refsect1 id="files">
359
432
<title>FILES</title>
360
433
<para>
361
434
Use the <option>--configdir</option> option to change where
384
457
</listitem>
385
458
</varlistentry>
386
459
<varlistentry>
387
<term><filename>/var/run/mandos/mandos.pid</filename></term>
460
<term><filename>/var/run/mandos.pid</filename></term>
388
461
<listitem>
389
462
<para>
390
The file containing the process id of
391
<command>&COMMANDNAME;</command>.
463
The file containing the process id of the
464
<command>&COMMANDNAME;</command> process started last.
392
465
</para>
393
466
</listitem>
394
467
</varlistentry>
422
495
backtrace. This could be considered a feature.
423
496
</para>
424
497
<para>
425
Currently, if a client is declared <quote>invalid</quote> due to
426
having timed out, the server does not record this fact onto
427
permanent storage. This has some security implications, see
428
<xref linkend="CLIENTS"/>.
429
</para>
430
<para>
431
There is currently no way of querying the server of the current
432
status of clients, other than analyzing its <systemitem
433
class="service">syslog</systemitem> output.
498
Currently, if a client is disabled due to having timed out, the
499
server does not record this fact onto permanent storage. This
500
has some security implications, see <xref linkend="clients"/>.
434
501
</para>
435
502
<para>
436
503
There is no fine-grained control over logging and debug output.
439
506
Debug mode is conflated with running in the foreground.
440
507
</para>
441
508
<para>
442
The console log messages does not show a timestamp.
509
The console log messages do not show a time stamp.
510
</para>
511
<para>
512
This server does not check the expire time of clients’ OpenPGP
513
keys.
443
514
</para>
444
515
</refsect1>
445
516
480
551
</para>
481
552
</informalexample>
482
553
</refsect1>
483
554
484
555
<refsect1 id="security">
485
556
<title>SECURITY</title>
486
<refsect2 id="SERVER">
557
<refsect2 id="server">
487
558
<title>SERVER</title>
488
559
<para>
489
560
Running this <command>&COMMANDNAME;</command> server program
490
561
should not in itself present any security risk to the host
491
computer running it. The program does not need any special
492
privileges to run, and is designed to run as a non-root user.
562
computer running it. The program switches to a non-root user
563
soon after startup.
493
564
</para>
494
565
</refsect2>
495
<refsect2 id="CLIENTS">
566
<refsect2 id="clients">
496
567
<title>CLIENTS</title>
497
568
<para>
498
569
The server only gives out its stored data to clients which
505
576
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
506
577
<manvolnum>5</manvolnum></citerefentry>)
507
578
<emphasis>must</emphasis> be made non-readable by anyone
508
except the user running the server.
579
except the user starting the server (usually root).
509
580
</para>
510
581
<para>
511
582
As detailed in <xref linkend="checking"/>, the status of all
514
585
</para>
515
586
<para>
516
587
If a client is compromised, its downtime should be duly noted
517
by the server which would therefore declare the client
518
invalid. But if the server was ever restarted, it would
519
re-read its client list from its configuration file and again
520
regard all clients therein as valid, and hence eligible to
521
receive their passwords. Therefore, be careful when
522
restarting servers if it is suspected that a client has, in
523
fact, been compromised by parties who may now be running a
524
fake Mandos client with the keys from the non-encrypted
525
initial RAM image of the client host. What should be done in
526
that case (if restarting the server program really is
527
necessary) is to stop the server program, edit the
528
configuration file to omit any suspect clients, and restart
529
the server program.
588
by the server which would therefore disable the client. But
589
if the server was ever restarted, it would re-read its client
590
list from its configuration file and again regard all clients
591
therein as enabled, and hence eligible to receive their
592
passwords. Therefore, be careful when restarting servers if
593
it is suspected that a client has, in fact, been compromised
594
by parties who may now be running a fake Mandos client with
595
the keys from the non-encrypted initial <acronym>RAM</acronym>
596
image of the client host. What should be done in that case
597
(if restarting the server program really is necessary) is to
598
stop the server program, edit the configuration file to omit
599
any suspect clients, and restart the server program.
530
600
</para>
531
601
<para>
532
602
For more details on client-side security, see
533
<citerefentry><refentrytitle>password-request</refentrytitle>
603
<citerefentry><refentrytitle>mandos-client</refentrytitle>
534
604
<manvolnum>8mandos</manvolnum></citerefentry>.
535
605
</para>
536
606
</refsect2>
537
607
</refsect1>
538
608
539
609
<refsect1 id="see_also">
540
610
<title>SEE ALSO</title>
541
611
<para>
542
612
<citerefentry>
613
<refentrytitle>mandos-clients.conf</refentrytitle>
614
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
543
615
<refentrytitle>mandos.conf</refentrytitle>
544
616
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
545
<refentrytitle>mandos-clients.conf</refentrytitle>
546
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
547
<refentrytitle>password-request</refentrytitle>
617
<refentrytitle>mandos-client</refentrytitle>
548
618
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
549
619
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
550
620
</citerefentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0