/mandos/trunk : revision 522

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: teddy at bsnet
Date: 2011-11-12 18:15:29 UTC
mfrom: (521.1.1 doc-filename-class)
Revision ID: teddy@fukt.bsnet.se-20111112181529-v4emlw0v5fugv2tk

Merge doc markup fixes.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2011-10-22">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Sends encrypted passwords to authenticated Mandos clients

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

</cmdsynopsis>

100

101

<command>&COMMANDNAME;</command>

102

103

104

100

105

</group>

101

106

</cmdsynopsis>

102

107

103

108

<command>&COMMANDNAME;</command>

104

<arg choice="plain">--version</arg>

109

<arg choice="plain"><option>--version</option></arg>

105

110

</cmdsynopsis>

106

111

107

112

<command>&COMMANDNAME;</command>

108

<arg choice="plain">--check</arg>

113

<arg choice="plain"><option>--check</option></arg>

109

114

</cmdsynopsis>

110

115

</refsynopsisdiv>

111

116

112

117

113

118

<title>DESCRIPTION</title>

114

119

<para>

115

120

<command>&COMMANDNAME;</command> is a server daemon which

116

121

handles incoming request for passwords for a pre-defined list of

117

client host computers. The Mandos server uses Zeroconf to

118

announce itself on the local network, and uses TLS to

119

communicate securely with and to authenticate the clients. The

120

Mandos server uses IPv6 to allow Mandos clients to use IPv6

121

link-local addresses, since the clients will probably not have

122

any other addresses configured (see <xref linkend="overview"/>).

123

Any authenticated client is then given the stored pre-encrypted

124

password for that specific client.

122

client host computers. For an introduction, see

123

<citerefentry><refentrytitle>intro</refentrytitle>

124

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

125

uses Zeroconf to announce itself on the local network, and uses

126

TLS to communicate securely with and to authenticate the

127

clients. The Mandos server uses IPv6 to allow Mandos clients to

128

use IPv6 link-local addresses, since the clients will probably

129

not have any other addresses configured (see <xref

130

linkend="overview"/>). Any authenticated client is then given

131

the stored pre-encrypted password for that specific client.

125

132

</para>

126

127

133

</refsect1>

128

134

129

135

130

136

<title>PURPOSE</title>

131

132

137

<para>

133

138

The purpose of this is to enable <emphasis>remote and unattended

134

139

rebooting</emphasis> of client host computer with an

135

140

<emphasis>encrypted root file system</emphasis>. See <xref

136

141

linkend="overview"/> for details.

137

142

</para>

138

139

143

</refsect1>

140

144

141

145

142

146

<title>OPTIONS</title>

143

144

147

145

148

146

149

150

147

151

148

152

<para>

149

153

Show a help message and exit

150

154

</para>

151

155

</listitem>

152

156

</varlistentry>

153

157

154

158

155

<term><literal>-i</literal>, <literal>--interface <replaceable

156

>NAME</replaceable></literal></term>

159

<term><option>--interface</option>

160

161

162

157

163

158

164

<xi:include href="mandos-options.xml" xpointer="interface"/>

159

165

</listitem>

160

166

</varlistentry>

161

167

162

168

163

<term><literal>-a</literal>, <literal>--address <replaceable>

164

ADDRESS</replaceable></literal></term>

169

<term><option>--address

170

<replaceable>ADDRESS</replaceable></option></term>

171

<term><option>-a

172

<replaceable>ADDRESS</replaceable></option></term>

165

173

166

174

<xi:include href="mandos-options.xml" xpointer="address"/>

167

175

</listitem>

168

176

</varlistentry>

169

177

170

178

171

172

PORT</replaceable></literal></term>

179

<term><option>--port

180

181

<term><option>-p

182

173

183

174

184

<xi:include href="mandos-options.xml" xpointer="port"/>

175

185

</listitem>

176

186

</varlistentry>

177

187

178

188

179

<term><literal>--check</literal></term>

189

<term><option>--check</option></term>

180

190

181

191

<para>

182

192

Run the server’s self-tests. This includes any unit

184

194

</para>

185

195

</listitem>

186

196

</varlistentry>

187

197

188

198

189

<term><literal>--debug</literal></term>

199

<term><option>--debug</option></term>

190

200

191

201

<xi:include href="mandos-options.xml" xpointer="debug"/>

192

202

</listitem>

193

203

</varlistentry>

194

195

196

<term><literal>--priority <replaceable>

197

PRIORITY</replaceable></literal></term>

204

205

206

<term><option>--debuglevel

207

<replaceable>LEVEL</replaceable></option></term>

208

209

<para>

210

Set the debugging log level.

211

<replaceable>LEVEL</replaceable> is a string, one of

212

<quote><literal>CRITICAL</literal></quote>,

213

<quote><literal>ERROR</literal></quote>,

214

<quote><literal>WARNING</literal></quote>,

215

<quote><literal>INFO</literal></quote>, or

216

<quote><literal>DEBUG</literal></quote>, in order of

217

increasing verbosity. The default level is

218

<quote><literal>WARNING</literal></quote>.

219

</para>

220

</listitem>

221

</varlistentry>

222

223

224

<term><option>--priority <replaceable>

225

PRIORITY</replaceable></option></term>

198

226

199

227

<xi:include href="mandos-options.xml" xpointer="priority"/>

200

228

</listitem>

201

229

</varlistentry>

202

230

203

231

204

<term><literal>--servicename <replaceable>NAME</replaceable>

205

</literal></term>

232

<term><option>--servicename

233

206

234

207

235

<xi:include href="mandos-options.xml"

208

236

xpointer="servicename"/>

209

237

</listitem>

210

238

</varlistentry>

211

239

212

240

213

<term><literal>--configdir <replaceable>DIR</replaceable>

214

</literal></term>

241

<term><option>--configdir

242

<replaceable>DIRECTORY</replaceable></option></term>

215

243

216

244

<para>

217

245

Directory to search for configuration files. Default is

223

251

</para>

224

252

</listitem>

225

253

</varlistentry>

226

254

227

255

228

<term><literal>--version</literal></term>

256

<term><option>--version</option></term>

229

257

230

258

<para>

231

259

Prints the program version and exit.

232

260

</para>

233

261

</listitem>

234

262

</varlistentry>

263

264

265

266

267

<xi:include href="mandos-options.xml" xpointer="dbus"/>

268

<para>

269

See also <xref linkend="dbus_interface"/>.

270

</para>

271

</listitem>

272

</varlistentry>

273

274

275

276

277

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

278

</listitem>

279

</varlistentry>

280

281

282

<term><option>--no-restore</option></term>

283

284

<xi:include href="mandos-options.xml" xpointer="restore"/>

285

</listitem>

286

</varlistentry>

235

287

</variablelist>

236

288

</refsect1>

237

289

238

290

239

291

<title>OVERVIEW</title>

240

292

<xi:include href="overview.xml"/>

241

293

<para>

242

294

This program is the server part. It is a normal server program

243

295

and will run in a normal system environment, not in an initial

244

RAM disk environment.

296

<acronym>RAM</acronym> disk environment.

245

297

</para>

246

298

</refsect1>

247

299

248

300

249

301

<title>NETWORK PROTOCOL</title>

250

302

<para>

302

354

</row>

303

355

</tbody></tgroup></table>

304

356

</refsect1>

305

357

306

358

307

359

<title>CHECKING</title>

308

360

<para>

309

361

The server will, by default, continually check that the clients

310

362

are still up. If a client has not been confirmed as being up

311

363

for some time, the client is assumed to be compromised and is no

312

longer eligible to receive the encrypted password. The timeout,

313

checker program, and interval between checks can be configured

314

both globally and per client; see <citerefentry>

364

longer eligible to receive the encrypted password. (Manual

365

intervention is required to re-enable a client.) The timeout,

366

extended timeout, checker program, and interval between checks

367

can be configured both globally and per client; see

368

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

369

<manvolnum>5</manvolnum></citerefentry>. A client successfully

370

receiving its password will also be treated as a successful

371

checker run.

372

</para>

373

</refsect1>

374

375

376

<title>APPROVAL</title>

377

<para>

378

The server can be configured to require manual approval for a

379

client before it is sent its secret. The delay to wait for such

380

approval and the default action (approve or deny) can be

381

configured both globally and per client; see <citerefentry>

315

382

<refentrytitle>mandos-clients.conf</refentrytitle>

316

<manvolnum>5</manvolnum></citerefentry>.

317

</para>

383

<manvolnum>5</manvolnum></citerefentry>. By default all clients

384

will be approved immediately without delay.

385

</para>

386

<para>

387

This can be used to deny a client its secret if not manually

388

approved within a specified time. It can also be used to make

389

the server delay before giving a client its secret, allowing

390

optional manual denying of this specific client.

391

</para>

392

318

393

</refsect1>

319

394

320

395

321

396

<title>LOGGING</title>

322

397

<para>

323

398

The server will send log message with various severity levels to

324

<filename>/dev/log</filename>. With the

399

<filename class="devicefile">/dev/log</filename>. With the

325

400

<option>--debug</option> option, it will log even more messages,

326

401

and also show them on the console.

327

402

</para>

328

403

</refsect1>

329

404

405

406

<title>D-BUS INTERFACE</title>

407

<para>

408

The server will by default provide a D-Bus system bus interface.

409

This interface will only be accessible by the root user or a

410

Mandos-specific user, if such a user exists. For documentation

411

of the D-Bus API, see the file <filename>DBUS-API</filename>.

412

</para>

413

</refsect1>

414

330

415

331

416

<title>EXIT STATUS</title>

332

417

<para>

334

419

critical error is encountered.

335

420

</para>

336

421

</refsect1>

337

422

338

423

339

424

<title>ENVIRONMENT</title>

340

425

341

426

342

427

343

428

344

429

<para>

345

430

To start the configured checker (see <xref

354

439

</varlistentry>

355

440

</variablelist>

356

441

</refsect1>

357

358

442

443

359

444

<title>FILES</title>

360

445

<para>

361

446

Use the <option>--configdir</option> option to change where

384

469

</listitem>

385

470

</varlistentry>

386

471

387

<term><filename>/var/run/mandos/mandos.pid</filename></term>

472

<term><filename>/var/run/mandos.pid</filename></term>

388

473

389

474

<para>

390

The file containing the process id of

391

<command>&COMMANDNAME;</command>.

475

The file containing the process id of the

476

<command>&COMMANDNAME;</command> process started last.

392

477

</para>

393

478

</listitem>

394

479

</varlistentry>

395

480

396

481

397

482

398

483

<para>

399

484

The Unix domain socket to where local syslog messages are

422

507

backtrace. This could be considered a feature.

423

508

</para>

424

509

<para>

425

Currently, if a client is declared <quote>invalid</quote> due to

426

having timed out, the server does not record this fact onto

427

permanent storage. This has some security implications, see

428

<xref linkend="CLIENTS"/>.

429

</para>

430

<para>

431

There is currently no way of querying the server of the current

432

status of clients, other than analyzing its <systemitem

433

class="service">syslog</systemitem> output.

510

Currently, if a client is disabled due to having timed out, the

511

server does not record this fact onto permanent storage. This

512

has some security implications, see <xref linkend="clients"/>.

434

513

</para>

435

514

<para>

436

515

There is no fine-grained control over logging and debug output.

439

518

Debug mode is conflated with running in the foreground.

440

519

</para>

441

520

<para>

442

The console log messages does not show a timestamp.

521

This server does not check the expire time of clients’ OpenPGP

522

keys.

443

523

</para>

444

524

</refsect1>

445

525

480

560

</para>

481

561

</informalexample>

482

562

</refsect1>

483

563

484

564

485

565

<title>SECURITY</title>

486

566

487

567

<title>SERVER</title>

488

568

<para>

489

569

Running this <command>&COMMANDNAME;</command> server program

490

570

should not in itself present any security risk to the host

491

computer running it. The program does not need any special

492

privileges to run, and is designed to run as a non-root user.

571

computer running it. The program switches to a non-root user

572

soon after startup.

493

573

</para>

494

574

</refsect2>

495

575

496

576

<title>CLIENTS</title>

497

577

<para>

498

578

The server only gives out its stored data to clients which

505

585

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

506

586

<manvolnum>5</manvolnum></citerefentry>)

507

587

<emphasis>must</emphasis> be made non-readable by anyone

508

except the user running the server.

588

except the user starting the server (usually root).

509

589

</para>

510

590

<para>

511

591

As detailed in <xref linkend="checking"/>, the status of all

514

594

</para>

515

595

<para>

516

596

If a client is compromised, its downtime should be duly noted

517

by the server which would therefore declare the client

518

invalid. But if the server was ever restarted, it would

519

re-read its client list from its configuration file and again

520

regard all clients therein as valid, and hence eligible to

521

receive their passwords. Therefore, be careful when

522

restarting servers if it is suspected that a client has, in

523

fact, been compromised by parties who may now be running a

524

fake Mandos client with the keys from the non-encrypted

525

initial RAM image of the client host. What should be done in

526

that case (if restarting the server program really is

527

necessary) is to stop the server program, edit the

528

configuration file to omit any suspect clients, and restart

529

the server program.

597

by the server which would therefore disable the client. But

598

if the server was ever restarted, it would re-read its client

599

list from its configuration file and again regard all clients

600

therein as enabled, and hence eligible to receive their

601

passwords. Therefore, be careful when restarting servers if

602

it is suspected that a client has, in fact, been compromised

603

by parties who may now be running a fake Mandos client with

604

the keys from the non-encrypted initial <acronym>RAM</acronym>

605

image of the client host. What should be done in that case

606

(if restarting the server program really is necessary) is to

607

stop the server program, edit the configuration file to omit

608

any suspect clients, and restart the server program.

530

609

</para>

531

610

<para>

532

611

For more details on client-side security, see

533

<citerefentry><refentrytitle>password-request</refentrytitle>

612

<citerefentry><refentrytitle>mandos-client</refentrytitle>

534

613

<manvolnum>8mandos</manvolnum></citerefentry>.

535

614

</para>

536

615

</refsect2>

537

616

</refsect1>

538

617

539

618

540

619

541

620

<para>

542

543

<refentrytitle>mandos.conf</refentrytitle>

544

545

<refentrytitle>mandos-clients.conf</refentrytitle>

546

547

<refentrytitle>password-request</refentrytitle>

548

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

549

550

</citerefentry>

621

<citerefentry><refentrytitle>intro</refentrytitle>

622

<manvolnum>8mandos</manvolnum></citerefentry>,

623

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

624

<manvolnum>5</manvolnum></citerefentry>,

625

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

626

<manvolnum>5</manvolnum></citerefentry>,

627

<citerefentry><refentrytitle>mandos-client</refentrytitle>

628

<manvolnum>8mandos</manvolnum></citerefentry>,

629

630

551

631

</para>

552

632

553

633

Older »