/mandos/trunk : revision 594.1.4

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2012-06-13 22:06:57 UTC
mto: This revision was merged to the branch mainline in revision 596.
Revision ID: teddy@recompile.se-20120613220657-qvq7c7nrndl3t413

* plugins.d/mandos-client.c (get_flags): Don't clobber errno.
  (up_interface): Removed; replaced with "interface_is_up".
  (interface_is_up, interface_is_running,
   lower_privileges_permanently, take_down_interface): New.
  (bring_up_interface): Return "error_t".  Use new functions
                        "interface_is_up", "get_flags", and
                        "interface_is_running".
  (main): Save all interfaces either autodetected or specified with
          --interface in argz vector "interfaces".  Save interfaces to
          take down on exit in argz vector "interfaces_to_take_down".
          Save interface names for DEVICE variable to network hooks as
          argz_vector "interfaces_hooks".  Bug fix: Be privileged
          while stopping network hooks.
* plugins.d/mandos-client.xml (SYNOPSIS): Changed --interface synopsis.
  (DESCRIPTION): Updated to document use of all interfaces.
  (OPTIONS): Updated description of "--interface".
* network-hooks.d/bridge: Parse comma-separated DEVICE environment
                          variable.
* network-hooks.d/openvpn: - '' -
* network-hooks.d/wireless: - '' -

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY TIMESTAMP "2012-06-13">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

127

100

</arg>

128

101

<sbr/>

169

142

brings up network interfaces, uses the interfaces’ IPv6

170

143

link-local addresses to get network connectivity, uses Zeroconf

171

144

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

145

servers using TLS with an OpenPGP key to ensure authenticity and

146

confidentiality. This client program keeps running, trying all

147

servers on the network, until it receives a satisfactory reply

148

or a TERM signal. After all servers have been tried, all

176

149

servers are periodically retried. If no servers are found it

177

150

will wait indefinitely for new servers to appear.

178

151

</para>

245

218

assumed to separate the address from the port number.

246

219

</para>

247

220

<para>

248

Normally, Zeroconf would be used to locate Mandos servers,

249

in which case this option would only be used when testing

250

and debugging.

221

This option is normally only useful for testing and

222

debugging.

251

223

</para>

252

224

</listitem>

253

225

</varlistentry>

254

226

255

227

256

228

<term><option>--interface=<replaceable

257

>NAME</replaceable><arg rep='repeat'>,<replaceable

258

>NAME</replaceable></arg></option></term>

229

>NAME</replaceable></option></term>

259

230

<term><option>-i

260

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

261

>NAME</replaceable></arg></option></term>

231

262

232

263

233

<para>

264

234

Comma separated list of network interfaces that will be

267

237

use all appropriate interfaces.

268

238

</para>

269

239

<para>

270

If the <option>--connect</option> option is used, and

271

exactly one interface name is specified (except

272

<quote><literal>none</literal></quote>), this specifies

273

the interface to use to connect to the address given.

240

If the <option>--connect</option> option is used, this

241

specifies the interface to use to connect to the address

242

given.

274

243

</para>

275

244

<para>

276

245

Note that since this program will normally run in the

285

254

</para>

286

255

<para>

287

256

<replaceable>NAME</replaceable> can be the string

288

<quote><literal>none</literal></quote>; this will make

289

<command>&COMMANDNAME;</command> only bring up interfaces

290

specified <emphasis>before</emphasis> this string. This

291

is not recommended, and only meant for advanced users.

257

<quote><literal>none</literal></quote>; this will not use

258

any specific interface, and will not bring up an interface

259

on startup. This is not recommended, and only meant for

260

advanced users.

292

261

</para>

293

262

</listitem>

294

263

</varlistentry>

322

291

</varlistentry>

323

292

324

293

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

353

294

<term><option>--priority=<replaceable

354

295

>STRING</replaceable></option></term>

355

296

364

305

365

306

<para>

366

307

Sets the number of bits to use for the prime number in the

367

TLS Diffie-Hellman key exchange. The default value is

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--dh-params=<replaceable

378

>FILE</replaceable></option></term>

379

380

<para>

381

Specifies a PEM-encoded PKCS#3 file to read the parameters

382

needed by the TLS Diffie-Hellman key exchange from. If

383

this option is not given, or if the file for some reason

384

could not be used, the parameters will be generated on

385

startup, which will take some time and processing power.

386

Those using servers running under time, power or processor

387

constraints may want to generate such a file in advance

388

and use this option.

308

TLS Diffie-Hellman key exchange. Default is 1024.

389

309

</para>

390

310

</listitem>

391

311

</varlistentry>

518

438

519

439

520

440

<title>ENVIRONMENT</title>

521

522

523

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

524

525

<para>

526

This environment variable will be assumed to contain the

527

directory containing any helper executables. The use and

528

nature of these helper executables, if any, is purposely

529

not documented.

530

</para>

531

</listitem>

532

</varlistentry>

533

</variablelist>

534

441

<para>

535

This program does not use any other environment variables, not

536

even the ones provided by <citerefentry><refentrytitle

442

This program does not use any environment variables, not even

443

the ones provided by <citerefentry><refentrytitle

537

444

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

538

445

</citerefentry>.

539

446

</para>

601

508

It is not necessary to print any non-executable files

602

509

already in the network hook directory, these will be

603

510

copied implicitly if they otherwise satisfy the name

604

requirements.

511

requirement.

605

512

</para>

606

513

</listitem>

607

514

</varlistentry>

726

633

</listitem>

727

634

</varlistentry>

728

635

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

743

636

<term><filename

744

637

class="directory">/lib/mandos/network-hooks.d</filename></term>

745

638

753

646

</variablelist>

754

647

</refsect1>

755

648

756

757

758

<xi:include href="../bugs.xml"/>

759

</refsect1>

649

650

651

652

653

760

654

761

655

762

656

<title>EXAMPLE</title>

768

662

</para>

769

663

770

664

<para>

771

Normal invocation needs no options, if the network interfaces

665

Normal invocation needs no options, if the network interface

772

666

can be automatically determined:

773

667

</para>

774

668

<para>

777

671

</informalexample>

778

672

779

673

<para>

780

Search for Mandos servers (and connect to them) using one

781

specific interface:

674

Search for Mandos servers (and connect to them) using another

675

interface:

782

676

</para>

783

677

<para>

784

678

787

681

</informalexample>

788

682

789

683

<para>

790

Run in debug mode, and use custom keys:

684

Run in debug mode, and use a custom key:

791

685

</para>

792

686

<para>

793

687

794

688

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

689

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

796

690

797

691

</para>

798

692

</informalexample>

799

693

800

694

<para>

801

Run in debug mode, with custom keys, and do not use Zeroconf

695

Run in debug mode, with a custom key, and do not use Zeroconf

802

696

to locate a server; connect directly to the IPv6 link-local

803

697

address <quote><systemitem class="ipaddress"

804

698

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

807

701

<para>

808

702

809

703

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

704

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

811

705

812

706

</para>

813

707

</informalexample>

816

710

817

711

<title>SECURITY</title>

818

712

<para>

819

This program assumes that it is set-uid to root, and will switch

820

back to the original (and presumably non-privileged) user and

821

group after bringing up the network interface.

713

This program is set-uid to root, but will switch back to the

714

original (and presumably non-privileged) user and group after

715

bringing up the network interface.

822

716

</para>

823

717

<para>

824

718

To use this program for its intended purpose (see <xref

837

731

<para>

838

732

The only remaining weak point is that someone with physical

839

733

access to the client hard drive might turn off the client

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

734

computer, read the OpenPGP keys directly from the hard drive,

735

and communicate with the server. To safeguard against this, the

736

server is supposed to notice the client disappearing and stop

737

giving out the encrypted data. Therefore, it is important to

738

set the timeout and checker interval values tightly on the

739

server. See <citerefentry><refentrytitle

846

740

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

847

741

</para>

848

742

<para>

849

743

It will also help if the checker program on the server is

850

744

configured to request something from the client which can not be

851

spoofed by someone else on the network, like SSH server key

852

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

853

echo (<quote>ping</quote>) replies.

745

spoofed by someone else on the network, unlike unencrypted

746

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

854

747

</para>

855

748

<para>

856

749

<emphasis>Note</emphasis>: This makes it completely insecure to

891

784

</varlistentry>

892

785

893

786

<term>

894

<ulink url="https://www.avahi.org/">Avahi</ulink>

787

<ulink url="http://www.avahi.org/">Avahi</ulink>

895

788

</term>

896

789

897

790

<para>

902

795

</varlistentry>

903

796

904

797

<term>

905

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

798

<ulink url="http://www.gnu.org/software/gnutls/"

799

>GnuTLS</ulink>

906

800

</term>

907

801

908

802

<para>

909

803

GnuTLS is the library this client uses to implement TLS for

910

804

communicating securely with the server, and at the same time

911

send the public key to the server.

805

send the public OpenPGP key to the server.

912

806

</para>

913

807

</listitem>

914

808

</varlistentry>

915

809

916

810

<term>

917

<ulink url="https://www.gnupg.org/related_software/gpgme/"

811

<ulink url="http://www.gnupg.org/related_software/gpgme/"

918

812

>GPGME</ulink>

919

813

</term>

920

814

948

842

<para>

949

843

This client uses IPv6 link-local addresses, which are

950

844

immediately usable since a link-local addresses is

951

automatically assigned to a network interface when it

845

automatically assigned to a network interfaces when it

952

846

is brought up.

953

847

</para>

954

848

</listitem>

958

852

</varlistentry>

959

853

960

854

<term>

961

RFC 5246: <citetitle>The Transport Layer Security (TLS)

962

Protocol Version 1.2</citetitle>

855

RFC 4346: <citetitle>The Transport Layer Security (TLS)

856

Protocol Version 1.1</citetitle>

963

857

</term>

964

858

965

859

<para>

966

TLS 1.2 is the protocol implemented by GnuTLS.

860

TLS 1.1 is the protocol implemented by GnuTLS.

967

861

</para>

968

862

</listitem>

969

863

</varlistentry>

980

874

</varlistentry>

981

875

982

876

<term>

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

877

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

998

878

Security</citetitle>

999

879

</term>

1000

880

1001

881

<para>

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

882

This is implemented by GnuTLS and used by this program so

883

that OpenPGP keys can be used.

1005

884

</para>

1006

885

</listitem>

1007

886

</varlistentry>

Older »