/mandos/trunk : revision 534

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: teddy at bsnet
Date: 2011-12-25 00:40:09 UTC
Revision ID: teddy@fukt.bsnet.se-20111225004009-n5uimmac6h8djtv8

* plugin-runner.c (add_to_char_array): Added "nonnull" attribute.
  (add_argument): Added "nonnull" attribute on the "arg" argument.
  (add_environment): Added "nonnull" attribute on the "def" argument.
  (print_out_password, free_plugin): Added "nonnull" attribute.
  (main/parse_opt): Added "nonnull" attribute on the "state" argument.
* plugins.d/mandos-client.c (perror_plus): Bug fix; restore errno
                                           after fprintf().
* plugins.d/password-prompt.c (fprintf_plus): New.
(conflict_detection/is_plymouth, main/parse_opt): Added "nonnull"
                                                   attribute.
(conflict_detection/is_plymouth, conflict_detection, main): Bug fix;
                                                             Call
                                                             error_plus()
                                                             instead
                                                             of
                                                             error().
  (main/parse_opt): Added "nonnull" attribute on the "state" argument.
* plugins.d/plymouth.c (exec_and_wait): Added "nonnull" attribute on
                                        the "path" and "argv"
                                        arguments.
  (is_plymouth): Added "nonnull" attribute.

files added:
DBUS-API

dbus-mandos.conf

debian/source

debian/source/format

debian/source/local-options

debian/watch

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

plugins.d/plymouth.c

plugins.d/plymouth.xml

files removed:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

files renamed:
mandos-list => mandos-ctl

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2009-01-04">

<!ENTITY TIMESTAMP "2011-11-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

<sbr/>

100

<arg><option>--statedir

101

<replaceable>DIRECTORY</replaceable></option></arg>

102

</cmdsynopsis>

103

104

<command>&COMMANDNAME;</command>

109

122

<para>

110

123

<command>&COMMANDNAME;</command> is a server daemon which

111

124

handles incoming request for passwords for a pre-defined list of

112

client host computers. The Mandos server uses Zeroconf to

113

announce itself on the local network, and uses TLS to

114

communicate securely with and to authenticate the clients. The

115

Mandos server uses IPv6 to allow Mandos clients to use IPv6

116

link-local addresses, since the clients will probably not have

117

any other addresses configured (see <xref linkend="overview"/>).

118

Any authenticated client is then given the stored pre-encrypted

119

password for that specific client.

125

client host computers. For an introduction, see

126

<citerefentry><refentrytitle>intro</refentrytitle>

127

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

128

uses Zeroconf to announce itself on the local network, and uses

129

TLS to communicate securely with and to authenticate the

130

clients. The Mandos server uses IPv6 to allow Mandos clients to

131

use IPv6 link-local addresses, since the clients will probably

132

not have any other addresses configured (see <xref

133

linkend="overview"/>). Any authenticated client is then given

134

the stored pre-encrypted password for that specific client.

120

135

</para>

121

136

</refsect1>

122

137

191

206

</varlistentry>

192

207

193

208

209

<term><option>--debuglevel

210

<replaceable>LEVEL</replaceable></option></term>

211

212

<para>

213

Set the debugging log level.

214

<replaceable>LEVEL</replaceable> is a string, one of

215

<quote><literal>CRITICAL</literal></quote>,

216

<quote><literal>ERROR</literal></quote>,

217

<quote><literal>WARNING</literal></quote>,

218

<quote><literal>INFO</literal></quote>, or

219

<quote><literal>DEBUG</literal></quote>, in order of

220

increasing verbosity. The default level is

221

<quote><literal>WARNING</literal></quote>.

222

</para>

223

</listitem>

224

</varlistentry>

225

226

194

227

<term><option>--priority <replaceable>

195

228

PRIORITY</replaceable></option></term>

196

229

240

273

</para>

241

274

</listitem>

242

275

</varlistentry>

276

277

278

279

280

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--no-restore</option></term>

286

287

<xi:include href="mandos-options.xml" xpointer="restore"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--statedir

293

<replaceable>DIRECTORY</replaceable></option></term>

294

295

<xi:include href="mandos-options.xml" xpointer="statedir"/>

296

</listitem>

297

</varlistentry>

243

298

</variablelist>

244

299

</refsect1>

245

300

317

372

The server will, by default, continually check that the clients

318

373

are still up. If a client has not been confirmed as being up

319

374

for some time, the client is assumed to be compromised and is no

320

longer eligible to receive the encrypted password. The timeout,

321

checker program, and interval between checks can be configured

322

both globally and per client; see <citerefentry>

375

longer eligible to receive the encrypted password. (Manual

376

intervention is required to re-enable a client.) The timeout,

377

extended timeout, checker program, and interval between checks

378

can be configured both globally and per client; see

379

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

380

<manvolnum>5</manvolnum></citerefentry>. A client successfully

381

receiving its password will also be treated as a successful

382

checker run.

383

</para>

384

</refsect1>

385

386

387

<title>APPROVAL</title>

388

<para>

389

The server can be configured to require manual approval for a

390

client before it is sent its secret. The delay to wait for such

391

approval and the default action (approve or deny) can be

392

configured both globally and per client; see <citerefentry>

323

393

<refentrytitle>mandos-clients.conf</refentrytitle>

324

<manvolnum>5</manvolnum></citerefentry>.

325

</para>

394

<manvolnum>5</manvolnum></citerefentry>. By default all clients

395

will be approved immediately without delay.

396

</para>

397

<para>

398

This can be used to deny a client its secret if not manually

399

approved within a specified time. It can also be used to make

400

the server delay before giving a client its secret, allowing

401

optional manual denying of this specific client.

402

</para>

403

326

404

</refsect1>

327

405

328

406

329

407

<title>LOGGING</title>

330

408

<para>

331

409

The server will send log message with various severity levels to

332

<filename>/dev/log</filename>. With the

410

<filename class="devicefile">/dev/log</filename>. With the

333

411

<option>--debug</option> option, it will log even more messages,

334

412

and also show them on the console.

335

413

</para>

340

418

<para>

341

419

The server will by default provide a D-Bus system bus interface.

342

420

This interface will only be accessible by the root user or a

343

Mandos-specific user, if such a user exists.

344

421

Mandos-specific user, if such a user exists. For documentation

422

of the D-Bus API, see the file <filename>DBUS-API</filename>.

345

423

</para>

346

424

</refsect1>

347

425

348

426

349

427

<title>EXIT STATUS</title>

350

428

<para>

405

483

<term><filename>/var/run/mandos.pid</filename></term>

406

484

407

485

<para>

408

The file containing the process id of

409

<command>&COMMANDNAME;</command>.

486

The file containing the process id of the

487

<command>&COMMANDNAME;</command> process started last.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

493

</varlistentry>

494

495

<term><filename

496

class="directory">/var/lib/mandos</filename></term>

497

498

<para>

499

Directory where persistent state will be saved. Change

500

this with the <option>--statedir</option> option. See

501

also the <option>--no-restore</option> option.

410

502

</para>

411

503

</listitem>

412

504

</varlistentry>

440

532

backtrace. This could be considered a feature.

441

533

</para>

442

534

<para>

443

Currently, if a client is declared <quote>invalid</quote> due to

444

having timed out, the server does not record this fact onto

445

permanent storage. This has some security implications, see

446

<xref linkend="clients"/>.

447

</para>

448

<para>

449

There is currently no way of querying the server of the current

450

status of clients, other than analyzing its <systemitem

451

class="service">syslog</systemitem> output.

452

</para>

453

<para>

454

535

There is no fine-grained control over logging and debug output.

455

536

</para>

456

537

<para>

457

538

Debug mode is conflated with running in the foreground.

458

539

</para>

459

540

<para>

460

The console log messages does not show a time stamp.

461

</para>

462

<para>

463

541

This server does not check the expire time of clients’ OpenPGP

464

542

keys.

465

543

</para>

478

556

479

557

<para>

480

558

Run the server in debug mode, read configuration files from

481

the <filename>~/mandos</filename> directory, and use the

482

Zeroconf service name <quote>Test</quote> to not collide with

483

any other official Mandos server on this host:

559

the <filename class="directory">~/mandos</filename> directory,

560

and use the Zeroconf service name <quote>Test</quote> to not

561

collide with any other official Mandos server on this host:

484

562

</para>

485

563

<para>

486

564

535

613

compromised if they are gone for too long.

536

614

</para>

537

615

<para>

538

If a client is compromised, its downtime should be duly noted

539

by the server which would therefore declare the client

540

invalid. But if the server was ever restarted, it would

541

re-read its client list from its configuration file and again

542

regard all clients therein as valid, and hence eligible to

543

receive their passwords. Therefore, be careful when

544

restarting servers if it is suspected that a client has, in

545

fact, been compromised by parties who may now be running a

546

fake Mandos client with the keys from the non-encrypted

547

initial <acronym>RAM</acronym> image of the client host. What

548

should be done in that case (if restarting the server program

549

really is necessary) is to stop the server program, edit the

550

configuration file to omit any suspect clients, and restart

551

the server program.

552

</para>

553

<para>

554

616

For more details on client-side security, see

555

617

<citerefentry><refentrytitle>mandos-client</refentrytitle>

556

618

<manvolnum>8mandos</manvolnum></citerefentry>.

561

623

562

624

563

625

<para>

564

565

<refentrytitle>mandos-clients.conf</refentrytitle>

566

567

<refentrytitle>mandos.conf</refentrytitle>

568

569

<refentrytitle>mandos-client</refentrytitle>

570

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

571

572

</citerefentry>

626

<citerefentry><refentrytitle>intro</refentrytitle>

627

<manvolnum>8mandos</manvolnum></citerefentry>,

628

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

629

<manvolnum>5</manvolnum></citerefentry>,

630

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

631

<manvolnum>5</manvolnum></citerefentry>,

632

<citerefentry><refentrytitle>mandos-client</refentrytitle>

633

<manvolnum>8mandos</manvolnum></citerefentry>,

634

635

573

636

</para>

574

637

575

638

Older »