/mandos/trunk : revision 487

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2011-07-16 00:29:19 UTC
Revision ID: teddy@fukt.bsnet.se-20110716002919-r77yikuiulj42o40

* initramfs-tools-script: Abort if plugin-runner is missing.  Removed
                          workaround for Debian bug #633582; the
                          workaround required getopt, which can not be
                          guaranteed.
* plugin-runner.c (main): Work around Debian bug #633582.
* plugins.d/mandos-client.c (main): - '' -

files added:
DBUS-API

NEWS

dbus-mandos.conf

debian/source

debian/source/format

debian/watch

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

files removed:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

files modified:
.bzrignore

INSTALL

Makefile

README

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-09-30">

<!ENTITY TIMESTAMP "2011-02-27">

<!ENTITY % common SYSTEM "common.ent">

%common;

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

189

199

</varlistentry>

190

200

191

201

202

<term><option>--debuglevel

203

<replaceable>LEVEL</replaceable></option></term>

204

205

<para>

206

Set the debugging log level.

207

<replaceable>LEVEL</replaceable> is a string, one of

208

<quote><literal>CRITICAL</literal></quote>,

209

<quote><literal>ERROR</literal></quote>,

210

<quote><literal>WARNING</literal></quote>,

211

<quote><literal>INFO</literal></quote>, or

212

<quote><literal>DEBUG</literal></quote>, in order of

213

increasing verbosity. The default level is

214

<quote><literal>WARNING</literal></quote>.

215

</para>

216

</listitem>

217

</varlistentry>

218

219

192

220

<term><option>--priority <replaceable>

193

221

PRIORITY</replaceable></option></term>

194

222

228

256

</para>

229

257

</listitem>

230

258

</varlistentry>

259

260

261

262

263

<xi:include href="mandos-options.xml" xpointer="dbus"/>

264

<para>

265

See also <xref linkend="dbus_interface"/>.

266

</para>

267

</listitem>

268

</varlistentry>

269

270

271

272

273

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

274

</listitem>

275

</varlistentry>

231

276

</variablelist>

232

277

</refsect1>

233

278

305

350

The server will, by default, continually check that the clients

306

351

are still up. If a client has not been confirmed as being up

307

352

for some time, the client is assumed to be compromised and is no

308

longer eligible to receive the encrypted password. The timeout,

353

longer eligible to receive the encrypted password. (Manual

354

intervention is required to re-enable a client.) The timeout,

309

355

checker program, and interval between checks can be configured

310

356

both globally and per client; see <citerefentry>

311

357

<refentrytitle>mandos-clients.conf</refentrytitle>

312

<manvolnum>5</manvolnum></citerefentry>.

313

</para>

358

<manvolnum>5</manvolnum></citerefentry>. A client successfully

359

receiving its password will also be treated as a successful

360

checker run.

361

</para>

362

</refsect1>

363

364

365

<title>APPROVAL</title>

366

<para>

367

The server can be configured to require manual approval for a

368

client before it is sent its secret. The delay to wait for such

369

approval and the default action (approve or deny) can be

370

configured both globally and per client; see <citerefentry>

371

<refentrytitle>mandos-clients.conf</refentrytitle>

372

<manvolnum>5</manvolnum></citerefentry>. By default all clients

373

will be approved immediately without delay.

374

</para>

375

<para>

376

This can be used to deny a client its secret if not manually

377

approved within a specified time. It can also be used to make

378

the server delay before giving a client its secret, allowing

379

optional manual denying of this specific client.

380

</para>

381

314

382

</refsect1>

315

383

316

384

323

391

</para>

324

392

</refsect1>

325

393

394

395

<title>D-BUS INTERFACE</title>

396

<para>

397

The server will by default provide a D-Bus system bus interface.

398

This interface will only be accessible by the root user or a

399

Mandos-specific user, if such a user exists. For documentation

400

of the D-Bus API, see the file <filename>DBUS-API</filename>.

401

</para>

402

</refsect1>

403

326

404

327

405

<title>EXIT STATUS</title>

328

406

<para>

351

429

</variablelist>

352

430

</refsect1>

353

431

354

432

355

433

<title>FILES</title>

356

434

<para>

357

435

Use the <option>--configdir</option> option to change where

383

461

<term><filename>/var/run/mandos.pid</filename></term>

384

462

385

463

<para>

386

The file containing the process id of

387

<command>&COMMANDNAME;</command>.

464

The file containing the process id of the

465

<command>&COMMANDNAME;</command> process started last.

388

466

</para>

389

467

</listitem>

390

468

</varlistentry>

418

496

backtrace. This could be considered a feature.

419

497

</para>

420

498

<para>

421

Currently, if a client is declared <quote>invalid</quote> due to

422

having timed out, the server does not record this fact onto

423

permanent storage. This has some security implications, see

424

<xref linkend="CLIENTS"/>.

425

</para>

426

<para>

427

There is currently no way of querying the server of the current

428

status of clients, other than analyzing its <systemitem

429

class="service">syslog</systemitem> output.

499

Currently, if a client is disabled due to having timed out, the

500

server does not record this fact onto permanent storage. This

501

has some security implications, see <xref linkend="clients"/>.

430

502

</para>

431

503

<para>

432

504

There is no fine-grained control over logging and debug output.

435

507

Debug mode is conflated with running in the foreground.

436

508

</para>

437

509

<para>

438

The console log messages does not show a time stamp.

510

The console log messages do not show a time stamp.

439

511

</para>

440

512

<para>

441

513

This server does not check the expire time of clients’ OpenPGP

483

555

484

556

485

557

<title>SECURITY</title>

486

558

487

559

<title>SERVER</title>

488

560

<para>

489

561

Running this <command>&COMMANDNAME;</command> server program

492

564

soon after startup.

493

565

</para>

494

566

</refsect2>

495

567

496

568

<title>CLIENTS</title>

497

569

<para>

498

570

The server only gives out its stored data to clients which

514

586

</para>

515

587

<para>

516

588

If a client is compromised, its downtime should be duly noted

517

by the server which would therefore declare the client

518

invalid. But if the server was ever restarted, it would

519

re-read its client list from its configuration file and again

520

regard all clients therein as valid, and hence eligible to

521

receive their passwords. Therefore, be careful when

522

restarting servers if it is suspected that a client has, in

523

fact, been compromised by parties who may now be running a

524

fake Mandos client with the keys from the non-encrypted

525

initial <acronym>RAM</acronym> image of the client host. What

526

should be done in that case (if restarting the server program

527

really is necessary) is to stop the server program, edit the

528

configuration file to omit any suspect clients, and restart

529

the server program.

589

by the server which would therefore disable the client. But

590

if the server was ever restarted, it would re-read its client

591

list from its configuration file and again regard all clients

592

therein as enabled, and hence eligible to receive their

593

passwords. Therefore, be careful when restarting servers if

594

it is suspected that a client has, in fact, been compromised

595

by parties who may now be running a fake Mandos client with

596

the keys from the non-encrypted initial <acronym>RAM</acronym>

597

image of the client host. What should be done in that case

598

(if restarting the server program really is necessary) is to

599

stop the server program, edit the configuration file to omit

600

any suspect clients, and restart the server program.

530

601

</para>

531

602

<para>

532

603

For more details on client-side security, see

Older »