/mandos/trunk : revision 518.1.15

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Björn Påhlsson
Date: 2011-12-13 17:55:20 UTC
mto: This revision was merged to the branch mainline in revision 524.
Revision ID: belorn@recompile.se-20111213175520-0my4v4nvp2vd8la4

more refactoring in regards to how clients get created

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
etc-plugins.d-README

plugins.d/usplash

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-09-06">

<!ENTITY TIMESTAMP "2011-11-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

<sbr/>

100

<arg><option>--statedir

101

<replaceable>DIRECTORY</replaceable></option></arg>

102

</cmdsynopsis>

103

104

<command>&COMMANDNAME;</command>

100

116

<arg choice="plain"><option>--check</option></arg>

101

117

</cmdsynopsis>

102

118

</refsynopsisdiv>

103

119

104

120

105

121

<title>DESCRIPTION</title>

106

122

<para>

107

123

<command>&COMMANDNAME;</command> is a server daemon which

108

124

handles incoming request for passwords for a pre-defined list of

109

client host computers. The Mandos server uses Zeroconf to

110

announce itself on the local network, and uses TLS to

111

communicate securely with and to authenticate the clients. The

112

Mandos server uses IPv6 to allow Mandos clients to use IPv6

113

link-local addresses, since the clients will probably not have

114

any other addresses configured (see <xref linkend="overview"/>).

115

Any authenticated client is then given the stored pre-encrypted

116

password for that specific client.

125

client host computers. For an introduction, see

126

<citerefentry><refentrytitle>intro</refentrytitle>

127

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

128

uses Zeroconf to announce itself on the local network, and uses

129

TLS to communicate securely with and to authenticate the

130

clients. The Mandos server uses IPv6 to allow Mandos clients to

131

use IPv6 link-local addresses, since the clients will probably

132

not have any other addresses configured (see <xref

133

linkend="overview"/>). Any authenticated client is then given

134

the stored pre-encrypted password for that specific client.

117

135

</para>

118

136

</refsect1>

119

137

186

204

<xi:include href="mandos-options.xml" xpointer="debug"/>

187

205

</listitem>

188

206

</varlistentry>

189

207

208

209

<term><option>--debuglevel

210

<replaceable>LEVEL</replaceable></option></term>

211

212

<para>

213

Set the debugging log level.

214

<replaceable>LEVEL</replaceable> is a string, one of

215

<quote><literal>CRITICAL</literal></quote>,

216

<quote><literal>ERROR</literal></quote>,

217

<quote><literal>WARNING</literal></quote>,

218

<quote><literal>INFO</literal></quote>, or

219

<quote><literal>DEBUG</literal></quote>, in order of

220

increasing verbosity. The default level is

221

<quote><literal>WARNING</literal></quote>.

222

</para>

223

</listitem>

224

</varlistentry>

225

190

226

191

227

<term><option>--priority <replaceable>

192

228

PRIORITY</replaceable></option></term>

194

230

<xi:include href="mandos-options.xml" xpointer="priority"/>

195

231

</listitem>

196

232

</varlistentry>

197

233

198

234

199

235

<term><option>--servicename

200

236

203

239

xpointer="servicename"/>

204

240

</listitem>

205

241

</varlistentry>

206

242

207

243

208

244

<term><option>--configdir

209

245

<replaceable>DIRECTORY</replaceable></option></term>

218

254

</para>

219

255

</listitem>

220

256

</varlistentry>

221

257

222

258

223

259

<term><option>--version</option></term>

224

260

227

263

</para>

228

264

</listitem>

229

265

</varlistentry>

266

267

268

269

270

<xi:include href="mandos-options.xml" xpointer="dbus"/>

271

<para>

272

See also <xref linkend="dbus_interface"/>.

273

</para>

274

</listitem>

275

</varlistentry>

276

277

278

279

280

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--no-restore</option></term>

286

287

<xi:include href="mandos-options.xml" xpointer="restore"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--statedir

293

<replaceable>DIRECTORY</replaceable></option></term>

294

295

<xi:include href="mandos-options.xml" xpointer="statedir"/>

296

</listitem>

297

</varlistentry>

230

298

</variablelist>

231

299

</refsect1>

232

300

233

301

234

302

<title>OVERVIEW</title>

235

303

<xi:include href="overview.xml"/>

239

307

<acronym>RAM</acronym> disk environment.

240

308

</para>

241

309

</refsect1>

242

310

243

311

244

312

<title>NETWORK PROTOCOL</title>

245

313

<para>

297

365

</row>

298

366

</tbody></tgroup></table>

299

367

</refsect1>

300

368

301

369

302

370

<title>CHECKING</title>

303

371

<para>

304

372

The server will, by default, continually check that the clients

305

373

are still up. If a client has not been confirmed as being up

306

374

for some time, the client is assumed to be compromised and is no

307

longer eligible to receive the encrypted password. The timeout,

308

checker program, and interval between checks can be configured

309

both globally and per client; see <citerefentry>

375

longer eligible to receive the encrypted password. (Manual

376

intervention is required to re-enable a client.) The timeout,

377

extended timeout, checker program, and interval between checks

378

can be configured both globally and per client; see

379

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

380

<manvolnum>5</manvolnum></citerefentry>. A client successfully

381

receiving its password will also be treated as a successful

382

checker run.

383

</para>

384

</refsect1>

385

386

387

<title>APPROVAL</title>

388

<para>

389

The server can be configured to require manual approval for a

390

client before it is sent its secret. The delay to wait for such

391

approval and the default action (approve or deny) can be

392

configured both globally and per client; see <citerefentry>

310

393

<refentrytitle>mandos-clients.conf</refentrytitle>

311

<manvolnum>5</manvolnum></citerefentry>.

312

</para>

394

<manvolnum>5</manvolnum></citerefentry>. By default all clients

395

will be approved immediately without delay.

396

</para>

397

<para>

398

This can be used to deny a client its secret if not manually

399

approved within a specified time. It can also be used to make

400

the server delay before giving a client its secret, allowing

401

optional manual denying of this specific client.

402

</para>

403

313

404

</refsect1>

314

405

315

406

316

407

<title>LOGGING</title>

317

408

<para>

321

412

and also show them on the console.

322

413

</para>

323

414

</refsect1>

324

415

416

417

<title>D-BUS INTERFACE</title>

418

<para>

419

The server will by default provide a D-Bus system bus interface.

420

This interface will only be accessible by the root user or a

421

Mandos-specific user, if such a user exists. For documentation

422

of the D-Bus API, see the file <filename>DBUS-API</filename>.

423

</para>

424

</refsect1>

425

325

426

326

427

<title>EXIT STATUS</title>

327

428

<para>

329

430

critical error is encountered.

330

431

</para>

331

432

</refsect1>

332

433

333

434

334

435

<title>ENVIRONMENT</title>

335

436

349

450

</varlistentry>

350

451

</variablelist>

351

452

</refsect1>

352

353

453

454

354

455

<title>FILES</title>

355

456

<para>

356

457

Use the <option>--configdir</option> option to change where

382

483

<term><filename>/var/run/mandos.pid</filename></term>

383

484

384

485

<para>

385

The file containing the process id of

386

<command>&COMMANDNAME;</command>.

486

The file containing the process id of the

487

<command>&COMMANDNAME;</command> process started last.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

<term><filename

493

class="directory">/var/lib/mandos</filename></term>

494

495

<para>

496

Directory where persistent state will be saved. Change

497

this with the <option>--statedir</option> option. See

498

also the <option>--no-restore</option> option.

387

499

</para>

388

500

</listitem>

389

501

</varlistentry>

417

529

backtrace. This could be considered a feature.

418

530

</para>

419

531

<para>

420

Currently, if a client is declared <quote>invalid</quote> due to

421

having timed out, the server does not record this fact onto

422

permanent storage. This has some security implications, see

423

<xref linkend="CLIENTS"/>.

424

</para>

425

<para>

426

There is currently no way of querying the server of the current

427

status of clients, other than analyzing its <systemitem

428

class="service">syslog</systemitem> output.

429

</para>

430

<para>

431

532

There is no fine-grained control over logging and debug output.

432

533

</para>

433

534

<para>

434

535

Debug mode is conflated with running in the foreground.

435

536

</para>

436

537

<para>

437

The console log messages does not show a time stamp.

438

</para>

439

<para>

440

538

This server does not check the expire time of clients’ OpenPGP

441

539

keys.

442

540

</para>

455

553

456

554

<para>

457

555

Run the server in debug mode, read configuration files from

458

the <filename>~/mandos</filename> directory, and use the

459

Zeroconf service name <quote>Test</quote> to not collide with

460

any other official Mandos server on this host:

556

the <filename class="directory">~/mandos</filename> directory,

557

and use the Zeroconf service name <quote>Test</quote> to not

558

collide with any other official Mandos server on this host:

461

559

</para>

462

560

<para>

463

561

479

577

</para>

480

578

</informalexample>

481

579

</refsect1>

482

580

483

581

484

582

<title>SECURITY</title>

485

583

486

584

<title>SERVER</title>

487

585

<para>

488

586

Running this <command>&COMMANDNAME;</command> server program

491

589

soon after startup.

492

590

</para>

493

591

</refsect2>

494

592

495

593

<title>CLIENTS</title>

496

594

<para>

497

595

The server only gives out its stored data to clients which

504

602

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

505

603

<manvolnum>5</manvolnum></citerefentry>)

506

604

<emphasis>must</emphasis> be made non-readable by anyone

507

except the user running the server.

605

except the user starting the server (usually root).

508

606

</para>

509

607

<para>

510

608

As detailed in <xref linkend="checking"/>, the status of all

512

610

compromised if they are gone for too long.

513

611

</para>

514

612

<para>

515

If a client is compromised, its downtime should be duly noted

516

by the server which would therefore declare the client

517

invalid. But if the server was ever restarted, it would

518

re-read its client list from its configuration file and again

519

regard all clients therein as valid, and hence eligible to

520

receive their passwords. Therefore, be careful when

521

restarting servers if it is suspected that a client has, in

522

fact, been compromised by parties who may now be running a

523

fake Mandos client with the keys from the non-encrypted

524

initial <acronym>RAM</acronym> image of the client host. What

525

should be done in that case (if restarting the server program

526

really is necessary) is to stop the server program, edit the

527

configuration file to omit any suspect clients, and restart

528

the server program.

529

</para>

530

<para>

531

613

For more details on client-side security, see

532

614

<citerefentry><refentrytitle>mandos-client</refentrytitle>

533

615

<manvolnum>8mandos</manvolnum></citerefentry>.

534

616

</para>

535

617

</refsect2>

536

618

</refsect1>

537

619

538

620

539

621

540

622

<para>

541

542

<refentrytitle>mandos-clients.conf</refentrytitle>

543

544

<refentrytitle>mandos.conf</refentrytitle>

545

546

<refentrytitle>mandos-client</refentrytitle>

547

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

548

549

</citerefentry>

623

<citerefentry><refentrytitle>intro</refentrytitle>

624

<manvolnum>8mandos</manvolnum></citerefentry>,

625

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

626

<manvolnum>5</manvolnum></citerefentry>,

627

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

628

<manvolnum>5</manvolnum></citerefentry>,

629

<citerefentry><refentrytitle>mandos-client</refentrytitle>

630

<manvolnum>8mandos</manvolnum></citerefentry>,

631

632

550

633

</para>

551

634

552

635

Older »