/mandos/trunk : revision 609

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2012-06-23 00:58:49 UTC
Revision ID: teddy@recompile.se-20120623005849-02wj82cng433rt2k

* clients.conf: Convert all time intervals to new RFC 3339 syntax.
* mandos: All client options for time intervals now take an RFC 3339
          duration.
  (rfc3339_duration_to_delta): New function.
  (string_to_delta): Try rfc3339_duration_to_delta first.
* mandos-clients.conf.xml (OPTIONS/timeout): Document new format.
  (EXAMPLE): Update to new interval format.
  (SEE ALSO): Reference RFC 3339.

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY TIMESTAMP "2012-06-17">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

127

100

</arg>

128

101

<sbr/>

169

142

brings up network interfaces, uses the interfaces’ IPv6

170

143

link-local addresses to get network connectivity, uses Zeroconf

171

144

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

145

servers using TLS with an OpenPGP key to ensure authenticity and

146

confidentiality. This client program keeps running, trying all

147

servers on the network, until it receives a satisfactory reply

148

or a TERM signal. After all servers have been tried, all

176

149

servers are periodically retried. If no servers are found it

177

150

will wait indefinitely for new servers to appear.

178

151

</para>

196

169

</para>

197

170

<para>

198

171

This program is not meant to be run directly; it is really meant

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

172

to run as a plugin of the <application>Mandos</application>

173

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

174

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

175

initial <acronym>RAM</acronym> disk environment because it is

176

specified as a <quote>keyscript</quote> in the <citerefentry>

177

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

178

</citerefentry> file.

202

179

</para>

203

180

</refsect1>

204

181

216

193

<title>OPTIONS</title>

217

194

<para>

218

195

This program is commonly not invoked from the command line; it

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

196

is normally started by the <application>Mandos</application>

197

plugin runner, see <citerefentry><refentrytitle

198

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

199

</citerefentry>. Any command line options this program accepts

200

are therefore normally provided by the plugin runner, and not

201

directly.

223

202

</para>

224

203

225

204

239

218

assumed to separate the address from the port number.

240

219

</para>

241

220

<para>

242

Normally, Zeroconf would be used to locate Mandos servers,

243

in which case this option would only be used when testing

244

and debugging.

221

This option is normally only useful for testing and

222

debugging.

245

223

</para>

246

224

</listitem>

247

225

</varlistentry>

280

258

<para>

281

259

<replaceable>NAME</replaceable> can be the string

282

260

<quote><literal>none</literal></quote>; this will make

283

<command>&COMMANDNAME;</command> only bring up interfaces

284

specified <emphasis>before</emphasis> this string. This

285

is not recommended, and only meant for advanced users.

261

<command>&COMMANDNAME;</command> not bring up

262

<emphasis>any</emphasis> interfaces specified

263

<emphasis>after</emphasis> this string. This is not

264

recommended, and only meant for advanced users.

286

265

</para>

287

266

</listitem>

288

267

</varlistentry>

316

295

</varlistentry>

317

296

318

297

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

298

<term><option>--priority=<replaceable

348

299

>STRING</replaceable></option></term>

349

300

358

309

359

310

<para>

360

311

Sets the number of bits to use for the prime number in the

361

TLS Diffie-Hellman key exchange. The default value is

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

371

<term><option>--dh-params=<replaceable

372

>FILE</replaceable></option></term>

373

374

<para>

375

Specifies a PEM-encoded PKCS#3 file to read the parameters

376

needed by the TLS Diffie-Hellman key exchange from. If

377

this option is not given, or if the file for some reason

378

could not be used, the parameters will be generated on

379

startup, which will take some time and processing power.

380

Those using servers running under time, power or processor

381

constraints may want to generate such a file in advance

382

and use this option.

312

TLS Diffie-Hellman key exchange. Default is 1024.

383

313

</para>

384

314

</listitem>

385

315

</varlistentry>

476

406

<title>OVERVIEW</title>

477

407

<xi:include href="../overview.xml"/>

478

408

<para>

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

409

This program is the client part. It is a plugin started by

410

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

411

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

412

an initial <acronym>RAM</acronym> disk environment.

504

413

</para>

505

414

<para>

506

415

This program could, theoretically, be used as a keyscript in

507

416

<filename>/etc/crypttab</filename>, but it would then be

508

417

impossible to enter a password for the encrypted root disk at

509

418

the console, since this program does not read from the console

510

at all.

419

at all. This is why a separate plugin runner (<citerefentry>

420

<refentrytitle>plugin-runner</refentrytitle>

421

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

422

both this program and others in in parallel,

423

<emphasis>one</emphasis> of which (<citerefentry>

424

<refentrytitle>password-prompt</refentrytitle>

425

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

426

passwords on the system console.

511

427

</para>

512

428

</refsect1>

513

429

526

442

527

443

528

444

<title>ENVIRONMENT</title>

529

530

531

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

532

533

<para>

534

This environment variable will be assumed to contain the

535

directory containing any helper executables. The use and

536

nature of these helper executables, if any, is purposely

537

not documented.

538

</para>

539

</listitem>

540

</varlistentry>

541

</variablelist>

542

445

<para>

543

This program does not use any other environment variables, not

544

even the ones provided by <citerefentry><refentrytitle

446

This program does not use any environment variables, not even

447

the ones provided by <citerefentry><refentrytitle

545

448

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

546

449

</citerefentry>.

547

450

</para>

609

512

It is not necessary to print any non-executable files

610

513

already in the network hook directory, these will be

611

514

copied implicitly if they otherwise satisfy the name

612

requirements.

515

requirement.

613

516

</para>

614

517

</listitem>

615

518

</varlistentry>

734

637

</listitem>

735

638

</varlistentry>

736

639

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

751

640

<term><filename

752

641

class="directory">/lib/mandos/network-hooks.d</filename></term>

753

642

761

650

</variablelist>

762

651

</refsect1>

763

652

764

765

766

<xi:include href="../bugs.xml"/>

767

</refsect1>

653

654

655

656

657

768

658

769

659

770

660

<title>EXAMPLE</title>

771

661

<para>

772

662

Note that normally, command line options will not be given

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

663

directly, but via options for the Mandos <citerefentry

664

><refentrytitle>plugin-runner</refentrytitle>

665

<manvolnum>8mandos</manvolnum></citerefentry>.

775

666

</para>

776

667

777

668

<para>

778

Normal invocation needs no options, if the network interfaces

669

Normal invocation needs no options, if the network interface

779

670

can be automatically determined:

780

671

</para>

781

672

<para>

784

675

</informalexample>

785

676

786

677

<para>

787

Search for Mandos servers (and connect to them) using one

788

specific interface:

678

Search for Mandos servers (and connect to them) using another

679

interface:

789

680

</para>

790

681

<para>

791

682

794

685

</informalexample>

795

686

796

687

<para>

797

Run in debug mode, and use custom keys:

688

Run in debug mode, and use a custom key:

798

689

</para>

799

690

<para>

800

691

801

692

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

693

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

803

694

804

695

</para>

805

696

</informalexample>

806

697

807

698

<para>

808

Run in debug mode, with custom keys, and do not use Zeroconf

699

Run in debug mode, with a custom key, and do not use Zeroconf

809

700

to locate a server; connect directly to the IPv6 link-local

810

701

address <quote><systemitem class="ipaddress"

811

702

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

814

705

<para>

815

706

816

707

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

708

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

818

709

819

710

</para>

820

711

</informalexample>

823

714

824

715

<title>SECURITY</title>

825

716

<para>

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

717

This program is set-uid to root, but will switch back to the

718

original (and presumably non-privileged) user and group after

719

bringing up the network interface.

829

720

</para>

830

721

<para>

831

722

To use this program for its intended purpose (see <xref

844

735

<para>

845

736

The only remaining weak point is that someone with physical

846

737

access to the client hard drive might turn off the client

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

738

computer, read the OpenPGP keys directly from the hard drive,

739

and communicate with the server. To safeguard against this, the

740

server is supposed to notice the client disappearing and stop

741

giving out the encrypted data. Therefore, it is important to

742

set the timeout and checker interval values tightly on the

743

server. See <citerefentry><refentrytitle

853

744

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

854

745

</para>

855

746

<para>

856

747

It will also help if the checker program on the server is

857

748

configured to request something from the client which can not be

858

spoofed by someone else on the network, like SSH server key

859

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

860

echo (<quote>ping</quote>) replies.

749

spoofed by someone else on the network, unlike unencrypted

750

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

861

751

</para>

862

752

<para>

863

753

<emphasis>Note</emphasis>: This makes it completely insecure to

879

769

<manvolnum>5</manvolnum></citerefentry>,

880

770

<citerefentry><refentrytitle>mandos</refentrytitle>

881

771

<manvolnum>8</manvolnum></citerefentry>,

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

772

<citerefentry><refentrytitle>password-prompt</refentrytitle>

883

773

<manvolnum>8mandos</manvolnum></citerefentry>,

884

774

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

885

775

<manvolnum>8mandos</manvolnum></citerefentry>

898

788

</varlistentry>

899

789

900

790

<term>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

791

<ulink url="http://www.avahi.org/">Avahi</ulink>

902

792

</term>

903

793

904

794

<para>

909

799

</varlistentry>

910

800

911

801

<term>

912

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

802

<ulink url="http://www.gnu.org/software/gnutls/"

803

>GnuTLS</ulink>

913

804

</term>

914

805

915

806

<para>

916

807

GnuTLS is the library this client uses to implement TLS for

917

808

communicating securely with the server, and at the same time

918

send the public key to the server.

809

send the public OpenPGP key to the server.

919

810

</para>

920

811

</listitem>

921

812

</varlistentry>

922

813

923

814

<term>

924

<ulink url="https://www.gnupg.org/related_software/gpgme/"

815

<ulink url="http://www.gnupg.org/related_software/gpgme/"

925

816

>GPGME</ulink>

926

817

</term>

927

818

955

846

<para>

956

847

This client uses IPv6 link-local addresses, which are

957

848

immediately usable since a link-local addresses is

958

automatically assigned to a network interface when it

849

automatically assigned to a network interfaces when it

959

850

is brought up.

960

851

</para>

961

852

</listitem>

965

856

</varlistentry>

966

857

967

858

<term>

968

RFC 5246: <citetitle>The Transport Layer Security (TLS)

969

Protocol Version 1.2</citetitle>

859

RFC 4346: <citetitle>The Transport Layer Security (TLS)

860

Protocol Version 1.1</citetitle>

970

861

</term>

971

862

972

863

<para>

973

TLS 1.2 is the protocol implemented by GnuTLS.

864

TLS 1.1 is the protocol implemented by GnuTLS.

974

865

</para>

975

866

</listitem>

976

867

</varlistentry>

987

878

</varlistentry>

988

879

989

880

<term>

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

881

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

1005

882

Security</citetitle>

1006

883

</term>

1007

884

1008

885

<para>

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

886

This is implemented by GnuTLS and used by this program so

887

that OpenPGP keys can be used.

1012

888

</para>

1013

889

</listitem>

1014

890

</varlistentry>

Older »