To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 475
- compare with another revision
- download diff
- download tarball
- view history from revision 475
- Committer: teddy at bsnet
- Date: 2011-03-15 20:13:05 UTC
- Revision ID: teddy@fukt.bsnet.se-20110315201305-1eptd9mvxem1qtr2
* mandos-ctl: Use the new argparse library instead of optparse.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files removed:
- plugins.d/usplash
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- .bzrignore
added
removed
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos">
6
<!ENTITY TIMESTAMP "2008-08-30">
5
<!ENTITY TIMESTAMP "2011-02-27">
6
<!ENTITY % common SYSTEM "common.ent">
7
%common;
7
8
]>
8
9
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
10
<refentryinfo>
11
<refentryinfo>
11
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
<productname>Mandos</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
16
17
<authorgroup>
17
18
<author>
31
32
</authorgroup>
32
33
<copyright>
33
34
<year>2008</year>
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
34
38
<holder>Teddy Hogeborn</holder>
35
39
<holder>Björn Påhlsson</holder>
36
40
</copyright>
37
<legalnotice>
38
<para>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
43
later version.
44
</para>
45
46
<para>
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
51
for more details.
52
</para>
53
54
<para>
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
58
</para>
59
</legalnotice>
41
<xi:include href="legalnotice.xml"/>
60
42
</refentryinfo>
61
43
62
44
<refmeta>
63
45
<refentrytitle>&COMMANDNAME;</refentrytitle>
64
46
<manvolnum>8</manvolnum>
70
52
Gives encrypted passwords to authenticated Mandos clients
71
53
</refpurpose>
72
54
</refnamediv>
73
55
74
56
<refsynopsisdiv>
75
57
<cmdsynopsis>
76
58
<command>&COMMANDNAME;</command>
105
87
<replaceable>DIRECTORY</replaceable></option></arg>
106
88
<sbr/>
107
89
<arg><option>--debug</option></arg>
90
<sbr/>
91
<arg><option>--debuglevel
92
<replaceable>LEVEL</replaceable></option></arg>
93
<sbr/>
94
<arg><option>--no-dbus</option></arg>
95
<sbr/>
96
<arg><option>--no-ipv6</option></arg>
108
97
</cmdsynopsis>
109
98
<cmdsynopsis>
110
99
<command>&COMMANDNAME;</command>
111
100
<group choice="req">
101
<arg choice="plain"><option>--help</option></arg>
112
102
<arg choice="plain"><option>-h</option></arg>
113
<arg choice="plain"><option>--help</option></arg>
114
103
</group>
115
104
</cmdsynopsis>
116
105
<cmdsynopsis>
122
111
<arg choice="plain"><option>--check</option></arg>
123
112
</cmdsynopsis>
124
113
</refsynopsisdiv>
125
114
126
115
<refsect1 id="description">
127
116
<title>DESCRIPTION</title>
128
117
<para>
137
126
Any authenticated client is then given the stored pre-encrypted
138
127
password for that specific client.
139
128
</para>
140
141
129
</refsect1>
142
130
143
131
<refsect1 id="purpose">
144
132
<title>PURPOSE</title>
145
146
133
<para>
147
134
The purpose of this is to enable <emphasis>remote and unattended
148
135
rebooting</emphasis> of client host computer with an
149
136
<emphasis>encrypted root file system</emphasis>. See <xref
150
137
linkend="overview"/> for details.
151
138
</para>
152
153
139
</refsect1>
154
140
155
141
<refsect1 id="options">
156
142
<title>OPTIONS</title>
157
158
143
<variablelist>
159
144
<varlistentry>
145
<term><option>--help</option></term>
160
146
<term><option>-h</option></term>
161
<term><option>--help</option></term>
162
147
<listitem>
163
148
<para>
164
149
Show a help message and exit
165
150
</para>
166
151
</listitem>
167
152
</varlistentry>
168
153
169
154
<varlistentry>
155
<term><option>--interface</option>
156
<replaceable>NAME</replaceable></term>
170
157
<term><option>-i</option>
171
158
<replaceable>NAME</replaceable></term>
172
<term><option>--interface</option>
173
<replaceable>NAME</replaceable></term>
174
159
<listitem>
175
160
<xi:include href="mandos-options.xml" xpointer="interface"/>
176
161
</listitem>
177
162
</varlistentry>
178
163
179
164
<varlistentry>
180
<term><literal>-a</literal>, <literal>--address <replaceable>
181
ADDRESS</replaceable></literal></term>
165
<term><option>--address
166
<replaceable>ADDRESS</replaceable></option></term>
167
<term><option>-a
168
<replaceable>ADDRESS</replaceable></option></term>
182
169
<listitem>
183
170
<xi:include href="mandos-options.xml" xpointer="address"/>
184
171
</listitem>
185
172
</varlistentry>
186
173
187
174
<varlistentry>
188
<term><literal>-p</literal>, <literal>--port <replaceable>
189
PORT</replaceable></literal></term>
175
<term><option>--port
176
<replaceable>PORT</replaceable></option></term>
177
<term><option>-p
178
<replaceable>PORT</replaceable></option></term>
190
179
<listitem>
191
180
<xi:include href="mandos-options.xml" xpointer="port"/>
192
181
</listitem>
193
182
</varlistentry>
194
183
195
184
<varlistentry>
196
<term><literal>--check</literal></term>
185
<term><option>--check</option></term>
197
186
<listitem>
198
187
<para>
199
188
Run the server’s self-tests. This includes any unit
201
190
</para>
202
191
</listitem>
203
192
</varlistentry>
204
193
205
194
<varlistentry>
206
<term><literal>--debug</literal></term>
195
<term><option>--debug</option></term>
207
196
<listitem>
208
197
<xi:include href="mandos-options.xml" xpointer="debug"/>
209
198
</listitem>
210
199
</varlistentry>
211
212
<varlistentry>
213
<term><literal>--priority <replaceable>
214
PRIORITY</replaceable></literal></term>
200
201
<varlistentry>
202
<term><option>--debuglevel
203
<replaceable>LEVEL</replaceable></option></term>
204
<listitem>
205
<para>
206
Set the debugging log level.
207
<replaceable>LEVEL</replaceable> is a string, one of
208
<quote><literal>CRITICAL</literal></quote>,
209
<quote><literal>ERROR</literal></quote>,
210
<quote><literal>WARNING</literal></quote>,
211
<quote><literal>INFO</literal></quote>, or
212
<quote><literal>DEBUG</literal></quote>, in order of
213
increasing verbosity. The default level is
214
<quote><literal>WARNING</literal></quote>.
215
</para>
216
</listitem>
217
</varlistentry>
218
219
<varlistentry>
220
<term><option>--priority <replaceable>
221
PRIORITY</replaceable></option></term>
215
222
<listitem>
216
223
<xi:include href="mandos-options.xml" xpointer="priority"/>
217
224
</listitem>
218
225
</varlistentry>
219
226
220
227
<varlistentry>
221
<term><literal>--servicename <replaceable>NAME</replaceable>
222
</literal></term>
228
<term><option>--servicename
229
<replaceable>NAME</replaceable></option></term>
223
230
<listitem>
224
231
<xi:include href="mandos-options.xml"
225
232
xpointer="servicename"/>
226
233
</listitem>
227
234
</varlistentry>
228
235
229
236
<varlistentry>
230
<term><literal>--configdir <replaceable>DIR</replaceable>
231
</literal></term>
237
<term><option>--configdir
238
<replaceable>DIRECTORY</replaceable></option></term>
232
239
<listitem>
233
240
<para>
234
241
Directory to search for configuration files. Default is
240
247
</para>
241
248
</listitem>
242
249
</varlistentry>
243
250
244
251
<varlistentry>
245
<term><literal>--version</literal></term>
252
<term><option>--version</option></term>
246
253
<listitem>
247
254
<para>
248
255
Prints the program version and exit.
249
256
</para>
250
257
</listitem>
251
258
</varlistentry>
259
260
<varlistentry>
261
<term><option>--no-dbus</option></term>
262
<listitem>
263
<xi:include href="mandos-options.xml" xpointer="dbus"/>
264
<para>
265
See also <xref linkend="dbus_interface"/>.
266
</para>
267
</listitem>
268
</varlistentry>
269
270
<varlistentry>
271
<term><option>--no-ipv6</option></term>
272
<listitem>
273
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
274
</listitem>
275
</varlistentry>
252
276
</variablelist>
253
277
</refsect1>
254
278
255
279
<refsect1 id="overview">
256
280
<title>OVERVIEW</title>
257
281
<xi:include href="overview.xml"/>
258
282
<para>
259
283
This program is the server part. It is a normal server program
260
284
and will run in a normal system environment, not in an initial
261
RAM disk environment.
285
<acronym>RAM</acronym> disk environment.
262
286
</para>
263
287
</refsect1>
264
288
265
289
<refsect1 id="protocol">
266
290
<title>NETWORK PROTOCOL</title>
267
291
<para>
319
343
</row>
320
344
</tbody></tgroup></table>
321
345
</refsect1>
322
346
323
347
<refsect1 id="checking">
324
348
<title>CHECKING</title>
325
349
<para>
326
350
The server will, by default, continually check that the clients
327
351
are still up. If a client has not been confirmed as being up
328
352
for some time, the client is assumed to be compromised and is no
329
longer eligible to receive the encrypted password. The timeout,
353
longer eligible to receive the encrypted password. (Manual
354
intervention is required to re-enable a client.) The timeout,
330
355
checker program, and interval between checks can be configured
331
356
both globally and per client; see <citerefentry>
332
357
<refentrytitle>mandos-clients.conf</refentrytitle>
333
<manvolnum>5</manvolnum></citerefentry>.
334
</para>
335
</refsect1>
336
358
<manvolnum>5</manvolnum></citerefentry>. A client successfully
359
receiving its password will also be treated as a successful
360
checker run.
361
</para>
362
</refsect1>
363
364
<refsect1 id="approval">
365
<title>APPROVAL</title>
366
<para>
367
The server can be configured to require manual approval for a
368
client before it is sent its secret. The delay to wait for such
369
approval and the default action (approve or deny) can be
370
configured both globally and per client; see <citerefentry>
371
<refentrytitle>mandos-clients.conf</refentrytitle>
372
<manvolnum>5</manvolnum></citerefentry>. By default all clients
373
will be approved immediately without delay.
374
</para>
375
<para>
376
This can be used to deny a client its secret if not manually
377
approved within a specified time. It can also be used to make
378
the server delay before giving a client its secret, allowing
379
optional manual denying of this specific client.
380
</para>
381
382
</refsect1>
383
337
384
<refsect1 id="logging">
338
385
<title>LOGGING</title>
339
386
<para>
343
390
and also show them on the console.
344
391
</para>
345
392
</refsect1>
346
393
394
<refsect1 id="dbus_interface">
395
<title>D-BUS INTERFACE</title>
396
<para>
397
The server will by default provide a D-Bus system bus interface.
398
This interface will only be accessible by the root user or a
399
Mandos-specific user, if such a user exists. For documentation
400
of the D-Bus API, see the file <filename>DBUS-API</filename>.
401
</para>
402
</refsect1>
403
347
404
<refsect1 id="exit_status">
348
405
<title>EXIT STATUS</title>
349
406
<para>
351
408
critical error is encountered.
352
409
</para>
353
410
</refsect1>
354
411
355
412
<refsect1 id="environment">
356
413
<title>ENVIRONMENT</title>
357
414
<variablelist>
371
428
</varlistentry>
372
429
</variablelist>
373
430
</refsect1>
374
375
<refsect1 id="file">
431
432
<refsect1 id="files">
376
433
<title>FILES</title>
377
434
<para>
378
435
Use the <option>--configdir</option> option to change where
401
458
</listitem>
402
459
</varlistentry>
403
460
<varlistentry>
404
<term><filename>/var/run/mandos/mandos.pid</filename></term>
461
<term><filename>/var/run/mandos.pid</filename></term>
405
462
<listitem>
406
463
<para>
407
The file containing the process id of
408
<command>&COMMANDNAME;</command>.
464
The file containing the process id of the
465
<command>&COMMANDNAME;</command> process started last.
409
466
</para>
410
467
</listitem>
411
468
</varlistentry>
439
496
backtrace. This could be considered a feature.
440
497
</para>
441
498
<para>
442
Currently, if a client is declared <quote>invalid</quote> due to
443
having timed out, the server does not record this fact onto
444
permanent storage. This has some security implications, see
445
<xref linkend="CLIENTS"/>.
446
</para>
447
<para>
448
There is currently no way of querying the server of the current
449
status of clients, other than analyzing its <systemitem
450
class="service">syslog</systemitem> output.
499
Currently, if a client is disabled due to having timed out, the
500
server does not record this fact onto permanent storage. This
501
has some security implications, see <xref linkend="clients"/>.
451
502
</para>
452
503
<para>
453
504
There is no fine-grained control over logging and debug output.
456
507
Debug mode is conflated with running in the foreground.
457
508
</para>
458
509
<para>
459
The console log messages does not show a timestamp.
510
The console log messages do not show a time stamp.
511
</para>
512
<para>
513
This server does not check the expire time of clients’ OpenPGP
514
keys.
460
515
</para>
461
516
</refsect1>
462
517
497
552
</para>
498
553
</informalexample>
499
554
</refsect1>
500
555
501
556
<refsect1 id="security">
502
557
<title>SECURITY</title>
503
<refsect2 id="SERVER">
558
<refsect2 id="server">
504
559
<title>SERVER</title>
505
560
<para>
506
561
Running this <command>&COMMANDNAME;</command> server program
507
562
should not in itself present any security risk to the host
508
computer running it. The program does not need any special
509
privileges to run, and is designed to run as a non-root user.
563
computer running it. The program switches to a non-root user
564
soon after startup.
510
565
</para>
511
566
</refsect2>
512
<refsect2 id="CLIENTS">
567
<refsect2 id="clients">
513
568
<title>CLIENTS</title>
514
569
<para>
515
570
The server only gives out its stored data to clients which
522
577
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
523
578
<manvolnum>5</manvolnum></citerefentry>)
524
579
<emphasis>must</emphasis> be made non-readable by anyone
525
except the user running the server.
580
except the user starting the server (usually root).
526
581
</para>
527
582
<para>
528
583
As detailed in <xref linkend="checking"/>, the status of all
531
586
</para>
532
587
<para>
533
588
If a client is compromised, its downtime should be duly noted
534
by the server which would therefore declare the client
535
invalid. But if the server was ever restarted, it would
536
re-read its client list from its configuration file and again
537
regard all clients therein as valid, and hence eligible to
538
receive their passwords. Therefore, be careful when
539
restarting servers if it is suspected that a client has, in
540
fact, been compromised by parties who may now be running a
541
fake Mandos client with the keys from the non-encrypted
542
initial RAM image of the client host. What should be done in
543
that case (if restarting the server program really is
544
necessary) is to stop the server program, edit the
545
configuration file to omit any suspect clients, and restart
546
the server program.
589
by the server which would therefore disable the client. But
590
if the server was ever restarted, it would re-read its client
591
list from its configuration file and again regard all clients
592
therein as enabled, and hence eligible to receive their
593
passwords. Therefore, be careful when restarting servers if
594
it is suspected that a client has, in fact, been compromised
595
by parties who may now be running a fake Mandos client with
596
the keys from the non-encrypted initial <acronym>RAM</acronym>
597
image of the client host. What should be done in that case
598
(if restarting the server program really is necessary) is to
599
stop the server program, edit the configuration file to omit
600
any suspect clients, and restart the server program.
547
601
</para>
548
602
<para>
549
603
For more details on client-side security, see
550
<citerefentry><refentrytitle>password-request</refentrytitle>
604
<citerefentry><refentrytitle>mandos-client</refentrytitle>
551
605
<manvolnum>8mandos</manvolnum></citerefentry>.
552
606
</para>
553
607
</refsect2>
554
608
</refsect1>
555
609
556
610
<refsect1 id="see_also">
557
611
<title>SEE ALSO</title>
558
612
<para>
561
615
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
562
616
<refentrytitle>mandos.conf</refentrytitle>
563
617
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
564
<refentrytitle>password-request</refentrytitle>
618
<refentrytitle>mandos-client</refentrytitle>
565
619
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
566
620
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
567
621
</citerefentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0