1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY COMMANDNAME "mandos">
5
<!ENTITY TIMESTAMP "2012-06-17">
6
<!ENTITY % common SYSTEM "common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
19
<firstname>Björn</firstname>
20
<surname>Påhlsson</surname>
22
<email>belorn@recompile.se</email>
26
<firstname>Teddy</firstname>
27
<surname>Hogeborn</surname>
29
<email>teddy@recompile.se</email>
39
<holder>Teddy Hogeborn</holder>
40
<holder>Björn Påhlsson</holder>
42
<xi:include href="legalnotice.xml"/>
46
<refentrytitle>&COMMANDNAME;</refentrytitle>
47
<manvolnum>8</manvolnum>
51
<refname><command>&COMMANDNAME;</command></refname>
53
Gives encrypted passwords to authenticated Mandos clients
59
<command>&COMMANDNAME;</command>
61
<arg choice="plain"><option>--interface
62
<replaceable>NAME</replaceable></option></arg>
63
<arg choice="plain"><option>-i
64
<replaceable>NAME</replaceable></option></arg>
68
<arg choice="plain"><option>--address
69
<replaceable>ADDRESS</replaceable></option></arg>
70
<arg choice="plain"><option>-a
71
<replaceable>ADDRESS</replaceable></option></arg>
75
<arg choice="plain"><option>--port
76
<replaceable>PORT</replaceable></option></arg>
77
<arg choice="plain"><option>-p
78
<replaceable>PORT</replaceable></option></arg>
81
<arg><option>--priority
82
<replaceable>PRIORITY</replaceable></option></arg>
84
<arg><option>--servicename
85
<replaceable>NAME</replaceable></option></arg>
87
<arg><option>--configdir
88
<replaceable>DIRECTORY</replaceable></option></arg>
90
<arg><option>--debug</option></arg>
92
<arg><option>--debuglevel
93
<replaceable>LEVEL</replaceable></option></arg>
95
<arg><option>--no-dbus</option></arg>
97
<arg><option>--no-ipv6</option></arg>
99
<arg><option>--no-restore</option></arg>
101
<arg><option>--statedir
102
<replaceable>DIRECTORY</replaceable></option></arg>
104
<arg><option>--socket
105
<replaceable>FD</replaceable></option></arg>
107
<arg><option>--foreground</option></arg>
110
<command>&COMMANDNAME;</command>
112
<arg choice="plain"><option>--help</option></arg>
113
<arg choice="plain"><option>-h</option></arg>
117
<command>&COMMANDNAME;</command>
118
<arg choice="plain"><option>--version</option></arg>
121
<command>&COMMANDNAME;</command>
122
<arg choice="plain"><option>--check</option></arg>
126
<refsect1 id="description">
127
<title>DESCRIPTION</title>
129
<command>&COMMANDNAME;</command> is a server daemon which
130
handles incoming request for passwords for a pre-defined list of
131
client host computers. For an introduction, see
132
<citerefentry><refentrytitle>intro</refentrytitle>
133
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
134
uses Zeroconf to announce itself on the local network, and uses
135
TLS to communicate securely with and to authenticate the
136
clients. The Mandos server uses IPv6 to allow Mandos clients to
137
use IPv6 link-local addresses, since the clients will probably
138
not have any other addresses configured (see <xref
139
linkend="overview"/>). Any authenticated client is then given
140
the stored pre-encrypted password for that specific client.
144
<refsect1 id="purpose">
145
<title>PURPOSE</title>
147
The purpose of this is to enable <emphasis>remote and unattended
148
rebooting</emphasis> of client host computer with an
149
<emphasis>encrypted root file system</emphasis>. See <xref
150
linkend="overview"/> for details.
154
<refsect1 id="options">
155
<title>OPTIONS</title>
158
<term><option>--help</option></term>
159
<term><option>-h</option></term>
162
Show a help message and exit
168
<term><option>--interface</option>
169
<replaceable>NAME</replaceable></term>
170
<term><option>-i</option>
171
<replaceable>NAME</replaceable></term>
173
<xi:include href="mandos-options.xml" xpointer="interface"/>
178
<term><option>--address
179
<replaceable>ADDRESS</replaceable></option></term>
181
<replaceable>ADDRESS</replaceable></option></term>
183
<xi:include href="mandos-options.xml" xpointer="address"/>
189
<replaceable>PORT</replaceable></option></term>
191
<replaceable>PORT</replaceable></option></term>
193
<xi:include href="mandos-options.xml" xpointer="port"/>
198
<term><option>--check</option></term>
201
Run the server’s self-tests. This includes any unit
208
<term><option>--debug</option></term>
210
<xi:include href="mandos-options.xml" xpointer="debug"/>
215
<term><option>--debuglevel
216
<replaceable>LEVEL</replaceable></option></term>
219
Set the debugging log level.
220
<replaceable>LEVEL</replaceable> is a string, one of
221
<quote><literal>CRITICAL</literal></quote>,
222
<quote><literal>ERROR</literal></quote>,
223
<quote><literal>WARNING</literal></quote>,
224
<quote><literal>INFO</literal></quote>, or
225
<quote><literal>DEBUG</literal></quote>, in order of
226
increasing verbosity. The default level is
227
<quote><literal>WARNING</literal></quote>.
233
<term><option>--priority <replaceable>
234
PRIORITY</replaceable></option></term>
236
<xi:include href="mandos-options.xml" xpointer="priority"/>
241
<term><option>--servicename
242
<replaceable>NAME</replaceable></option></term>
244
<xi:include href="mandos-options.xml"
245
xpointer="servicename"/>
250
<term><option>--configdir
251
<replaceable>DIRECTORY</replaceable></option></term>
254
Directory to search for configuration files. Default is
255
<quote><literal>/etc/mandos</literal></quote>. See
256
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
257
<manvolnum>5</manvolnum></citerefentry> and <citerefentry>
258
<refentrytitle>mandos-clients.conf</refentrytitle>
259
<manvolnum>5</manvolnum></citerefentry>.
265
<term><option>--version</option></term>
268
Prints the program version and exit.
274
<term><option>--no-dbus</option></term>
276
<xi:include href="mandos-options.xml" xpointer="dbus"/>
278
See also <xref linkend="dbus_interface"/>.
284
<term><option>--no-ipv6</option></term>
286
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
291
<term><option>--no-restore</option></term>
293
<xi:include href="mandos-options.xml" xpointer="restore"/>
295
See also <xref linkend="persistent_state"/>.
301
<term><option>--statedir
302
<replaceable>DIRECTORY</replaceable></option></term>
304
<xi:include href="mandos-options.xml" xpointer="statedir"/>
309
<term><option>--socket
310
<replaceable>FD</replaceable></option></term>
312
<xi:include href="mandos-options.xml" xpointer="socket"/>
317
<term><option>--foreground</option></term>
319
<xi:include href="mandos-options.xml"
320
xpointer="foreground"/>
327
<refsect1 id="overview">
328
<title>OVERVIEW</title>
329
<xi:include href="overview.xml"/>
331
This program is the server part. It is a normal server program
332
and will run in a normal system environment, not in an initial
333
<acronym>RAM</acronym> disk environment.
337
<refsect1 id="protocol">
338
<title>NETWORK PROTOCOL</title>
340
The Mandos server announces itself as a Zeroconf service of type
341
<quote><literal>_mandos._tcp</literal></quote>. The Mandos
342
client connects to the announced address and port, and sends a
343
line of text where the first whitespace-separated field is the
344
protocol version, which currently is
345
<quote><literal>1</literal></quote>. The client and server then
346
start a TLS protocol handshake with a slight quirk: the Mandos
347
server program acts as a TLS <quote>client</quote> while the
348
connecting Mandos client acts as a TLS <quote>server</quote>.
349
The Mandos client must supply an OpenPGP certificate, and the
350
fingerprint of this certificate is used by the Mandos server to
351
look up (in a list read from <filename>clients.conf</filename>
352
at start time) which binary blob to give the client. No other
353
authentication or authorization is done by the server.
356
<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>
358
<entry>Mandos Client</entry>
359
<entry>Direction</entry>
360
<entry>Mandos Server</entry>
364
<entry>Connect</entry>
365
<entry>-><!-- → --></entry>
368
<entry><quote><literal>1\r\n</literal></quote></entry>
369
<entry>-><!-- → --></entry>
372
<entry>TLS handshake <emphasis>as TLS <quote>server</quote>
374
<entry><-><!-- ⟷ --></entry>
375
<entry>TLS handshake <emphasis>as TLS <quote>client</quote>
379
<entry>OpenPGP public key (part of TLS handshake)</entry>
380
<entry>-><!-- → --></entry>
384
<entry><-<!-- ← --></entry>
385
<entry>Binary blob (client will assume OpenPGP data)</entry>
389
<entry><-<!-- ← --></entry>
392
</tbody></tgroup></table>
395
<refsect1 id="checking">
396
<title>CHECKING</title>
398
The server will, by default, continually check that the clients
399
are still up. If a client has not been confirmed as being up
400
for some time, the client is assumed to be compromised and is no
401
longer eligible to receive the encrypted password. (Manual
402
intervention is required to re-enable a client.) The timeout,
403
extended timeout, checker program, and interval between checks
404
can be configured both globally and per client; see
405
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
406
<manvolnum>5</manvolnum></citerefentry>.
410
<refsect1 id="approval">
411
<title>APPROVAL</title>
413
The server can be configured to require manual approval for a
414
client before it is sent its secret. The delay to wait for such
415
approval and the default action (approve or deny) can be
416
configured both globally and per client; see <citerefentry>
417
<refentrytitle>mandos-clients.conf</refentrytitle>
418
<manvolnum>5</manvolnum></citerefentry>. By default all clients
419
will be approved immediately without delay.
422
This can be used to deny a client its secret if not manually
423
approved within a specified time. It can also be used to make
424
the server delay before giving a client its secret, allowing
425
optional manual denying of this specific client.
430
<refsect1 id="logging">
431
<title>LOGGING</title>
433
The server will send log message with various severity levels to
434
<filename class="devicefile">/dev/log</filename>. With the
435
<option>--debug</option> option, it will log even more messages,
436
and also show them on the console.
440
<refsect1 id="persistent_state">
441
<title>PERSISTENT STATE</title>
443
Client settings, initially read from
444
<filename>clients.conf</filename>, are persistent across
445
restarts, and run-time changes will override settings in
446
<filename>clients.conf</filename>. However, if a setting is
447
<emphasis>changed</emphasis> (or a client added, or removed) in
448
<filename>clients.conf</filename>, this will take precedence.
452
<refsect1 id="dbus_interface">
453
<title>D-BUS INTERFACE</title>
455
The server will by default provide a D-Bus system bus interface.
456
This interface will only be accessible by the root user or a
457
Mandos-specific user, if such a user exists. For documentation
458
of the D-Bus API, see the file <filename>DBUS-API</filename>.
462
<refsect1 id="exit_status">
463
<title>EXIT STATUS</title>
465
The server will exit with a non-zero exit status only when a
466
critical error is encountered.
470
<refsect1 id="environment">
471
<title>ENVIRONMENT</title>
474
<term><envar>PATH</envar></term>
477
To start the configured checker (see <xref
478
linkend="checking"/>), the server uses
479
<filename>/bin/sh</filename>, which in turn uses
480
<varname>PATH</varname> to search for matching commands if
481
an absolute path is not given. See <citerefentry>
482
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
490
<refsect1 id="files">
493
Use the <option>--configdir</option> option to change where
494
<command>&COMMANDNAME;</command> looks for its configurations
495
files. The default file names are listed here.
499
<term><filename>/etc/mandos/mandos.conf</filename></term>
502
Server-global settings. See
503
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
504
<manvolnum>5</manvolnum></citerefentry> for details.
509
<term><filename>/etc/mandos/clients.conf</filename></term>
512
List of clients and client-specific settings. See
513
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
514
<manvolnum>5</manvolnum></citerefentry> for details.
519
<term><filename>/var/run/mandos.pid</filename></term>
522
The file containing the process id of the
523
<command>&COMMANDNAME;</command> process started last.
528
<term><filename class="devicefile">/dev/log</filename></term>
532
class="directory">/var/lib/mandos</filename></term>
535
Directory where persistent state will be saved. Change
536
this with the <option>--statedir</option> option. See
537
also the <option>--no-restore</option> option.
542
<term><filename>/dev/log</filename></term>
545
The Unix domain socket to where local syslog messages are
551
<term><filename>/bin/sh</filename></term>
554
This is used to start the configured checker command for
555
each client. See <citerefentry>
556
<refentrytitle>mandos-clients.conf</refentrytitle>
557
<manvolnum>5</manvolnum></citerefentry> for details.
567
This server might, on especially fatal errors, emit a Python
568
backtrace. This could be considered a feature.
571
There is no fine-grained control over logging and debug output.
574
This server does not check the expire time of clients’ OpenPGP
579
<refsect1 id="example">
580
<title>EXAMPLE</title>
583
Normal invocation needs no options:
586
<userinput>&COMMANDNAME;</userinput>
591
Run the server in debug mode, read configuration files from
592
the <filename class="directory">~/mandos</filename> directory,
593
and use the Zeroconf service name <quote>Test</quote> to not
594
collide with any other official Mandos server on this host:
598
<!-- do not wrap this line -->
599
<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>
605
Run the server normally, but only listen to one interface and
606
only on the link-local address on that interface:
610
<!-- do not wrap this line -->
611
<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>
617
<refsect1 id="security">
618
<title>SECURITY</title>
619
<refsect2 id="server">
620
<title>SERVER</title>
622
Running this <command>&COMMANDNAME;</command> server program
623
should not in itself present any security risk to the host
624
computer running it. The program switches to a non-root user
628
<refsect2 id="clients">
629
<title>CLIENTS</title>
631
The server only gives out its stored data to clients which
632
does have the OpenPGP key of the stored fingerprint. This is
633
guaranteed by the fact that the client sends its OpenPGP
634
public key in the TLS handshake; this ensures it to be
635
genuine. The server computes the fingerprint of the key
636
itself and looks up the fingerprint in its list of
637
clients. The <filename>clients.conf</filename> file (see
638
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
639
<manvolnum>5</manvolnum></citerefentry>)
640
<emphasis>must</emphasis> be made non-readable by anyone
641
except the user starting the server (usually root).
644
As detailed in <xref linkend="checking"/>, the status of all
645
client computers will continually be checked and be assumed
646
compromised if they are gone for too long.
649
For more details on client-side security, see
650
<citerefentry><refentrytitle>mandos-client</refentrytitle>
651
<manvolnum>8mandos</manvolnum></citerefentry>.
656
<refsect1 id="see_also">
657
<title>SEE ALSO</title>
659
<citerefentry><refentrytitle>intro</refentrytitle>
660
<manvolnum>8mandos</manvolnum></citerefentry>,
661
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
662
<manvolnum>5</manvolnum></citerefentry>,
663
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
664
<manvolnum>5</manvolnum></citerefentry>,
665
<citerefentry><refentrytitle>mandos-client</refentrytitle>
666
<manvolnum>8mandos</manvolnum></citerefentry>,
667
<citerefentry><refentrytitle>sh</refentrytitle>
668
<manvolnum>1</manvolnum></citerefentry>
673
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
677
Zeroconf is the network protocol standard used by clients
678
for finding this Mandos server on the local network.
684
<ulink url="http://www.avahi.org/">Avahi</ulink>
688
Avahi is the library this server calls to implement
689
Zeroconf service announcements.
695
<ulink url="http://www.gnu.org/software/gnutls/"
700
GnuTLS is the library this server uses to implement TLS for
701
communicating securely with the client, and at the same time
702
confidently get the client’s public OpenPGP key.
708
RFC 4291: <citetitle>IP Version 6 Addressing
709
Architecture</citetitle>
714
<term>Section 2.2: <citetitle>Text Representation of
715
Addresses</citetitle></term>
716
<listitem><para/></listitem>
719
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
720
Address</citetitle></term>
721
<listitem><para/></listitem>
724
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
725
Addresses</citetitle></term>
728
The clients use IPv6 link-local addresses, which are
729
immediately usable since a link-local addresses is
730
automatically assigned to a network interfaces when it
740
RFC 4346: <citetitle>The Transport Layer Security (TLS)
741
Protocol Version 1.1</citetitle>
745
TLS 1.1 is the protocol implemented by GnuTLS.
751
RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
755
The data sent to clients is binary encrypted OpenPGP data.
761
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
766
This is implemented by GnuTLS and used by this server so
767
that OpenPGP keys can be used.
774
<!-- Local Variables: -->
775
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
776
<!-- time-stamp-end: "[\"']>" -->
777
<!-- time-stamp-format: "%:y-%02m-%02d" -->