/mandos/trunk : revision 617

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2013-05-22 20:00:18 UTC
Revision ID: teddy@recompile.se-20130522200018-xtbddz21pl7c69kw

* mandos: Bug fix: Don't print output from checkers when running in
          foreground.
          Bug fix: Do not fail when client is removed from
          clients.conf but saved settings remain.
  (Client.server_settings): New attribute.
  (Client.__init__): Take new "server_settings" keyword argument.  All
                     callers changed.
  (Client.start_checker): Redirect stdout and stderr for checkers when
                          running in foreground.
  (main): New "wnull" global variable for a writable /dev/null file.
          Do not restore settings for clients no longer in config file.
  (main/cleanup): Close wnull file object.  Do not save client
                  attribute "server_settings"
* mandos-monitor: Update to work in Urwid 1.0.1.
                  Adapt to work in both Python 3 and Python 2.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-02">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2012-07-23">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for mandos

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

</group>

<sbr/>

<group>

</arg>

<sbr/>

100

<arg>

<option>--delay <replaceable>SECONDS</replaceable></option>

100

</arg>

101

<sbr/>

102

<arg>

103

<option>--retry <replaceable>SECONDS</replaceable></option>

104

</arg>

105

<sbr/>

106

<arg>

107

<option>--network-hook-dir

108

109

</arg>

110

<sbr/>

111

<arg>

101

112

<option>--debug</option>

102

113

</arg>

103

114

</cmdsynopsis>

120

131

</group>

121

132

</cmdsynopsis>

122

133

</refsynopsisdiv>

123

134

124

135

125

136

<title>DESCRIPTION</title>

126

137

<para>

127

138

<command>&COMMANDNAME;</command> is a client program that

128

139

communicates with <citerefentry><refentrytitle

129

140

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find the server, and TLS with

132

an OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply.

141

to get a password. In slightly more detail, this client program

142

brings up network interfaces, uses the interfaces’ IPv6

143

link-local addresses to get network connectivity, uses Zeroconf

144

to find servers on the local network, and communicates with

145

servers using TLS with an OpenPGP key to ensure authenticity and

146

confidentiality. This client program keeps running, trying all

147

servers on the network, until it receives a satisfactory reply

148

or a TERM signal. After all servers have been tried, all

149

servers are periodically retried. If no servers are found it

150

will wait indefinitely for new servers to appear.

151

</para>

152

<para>

153

The network interfaces are selected like this: If any interfaces

154

are specified using the <option>--interface</option> option,

155

those interface are used. Otherwise,

156

<command>&COMMANDNAME;</command> will use all interfaces that

157

are not loopback interfaces, are not point-to-point interfaces,

158

are capable of broadcasting and do not have the NOARP flag (see

159

<citerefentry><refentrytitle>netdevice</refentrytitle>

160

<manvolnum>7</manvolnum></citerefentry>). (If the

161

<option>--connect</option> option is used, point-to-point

162

interfaces and non-broadcast interfaces are accepted.) If any

163

used interfaces are not up and running, they are first taken up

164

(and later taken down again on program exit).

165

</para>

166

<para>

167

Before network interfaces are selected, all <quote>network

168

hooks</quote> are run; see <xref linkend="network-hooks"/>.

135

169

</para>

136

170

<para>

137

171

This program is not meant to be run directly; it is really meant

138

172

to run as a plugin of the <application>Mandos</application>

139

173

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

140

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn

141

runs as a <quote>keyscript</quote> specified in the

142

<citerefentry><refentrytitle>crypttab</refentrytitle>

143

<manvolnum>5</manvolnum></citerefentry> file.

174

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

175

initial <acronym>RAM</acronym> disk environment because it is

176

specified as a <quote>keyscript</quote> in the <citerefentry>

177

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

178

</citerefentry> file.

144

179

</para>

145

180

</refsect1>

146

181

154

189

</para>

155

190

</refsect1>

156

191

157

158

<title>OVERVIEW</title>

159

<xi:include href="overview.xml"/>

160

<para>

161

This program is the client part. It is a plugin started by

162

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

164

an initial <acronym>RAM</acronym> disk environment.

165

</para>

166

<para>

167

This program could, theoretically, be used as a keyscript in

168

<filename>/etc/crypttab</filename>, but it would then be

169

impossible to enter the encrypted root disk password at the

170

console, since this program does not read from the console at

171

all. This is why a separate plugin does that, which will be run

172

in parallell to this one.

173

</para>

174

</refsect1>

175

176

192

177

193

<title>OPTIONS</title>

178

194

<para>

188

204

189

205

190

206

<term><option>--connect=<replaceable

191

>IPADDR</replaceable><literal>:</literal><replaceable

207

>ADDRESS</replaceable><literal>:</literal><replaceable

192

208

>PORT</replaceable></option></term>

193

209

<term><option>-c

194

<replaceable>IPADDR</replaceable><literal>:</literal

210

<replaceable>ADDRESS</replaceable><literal>:</literal

195

211

><replaceable>PORT</replaceable></option></term>

196

212

197

213

<para>

202

218

assumed to separate the address from the port number.

203

219

</para>

204

220

<para>

205

This option is normally only useful for debugging.

221

This option is normally only useful for testing and

222

debugging.

206

223

</para>

207

224

</listitem>

208

225

</varlistentry>

209

226

210

227

211

<term><option>--keydir=<replaceable

212

>DIRECTORY</replaceable></option></term>

213

<term><option>-d

214

<replaceable>DIRECTORY</replaceable></option></term>

215

216

<para>

217

Directory to read the OpenPGP key files

218

<filename>pubkey.txt</filename> and

219

<filename>seckey.txt</filename> from. The default is

220

<filename>/conf/conf.d/mandos</filename> (in the initial

221

<acronym>RAM</acronym> disk environment).

222

</para>

223

</listitem>

224

</varlistentry>

225

226

227

<term><option>--interface=

228

228

<term><option>--interface=<replaceable

229

>NAME</replaceable><arg rep='repeat'>,<replaceable

230

>NAME</replaceable></arg></option></term>

229

231

<term><option>-i

230

232

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

233

>NAME</replaceable></arg></option></term>

231

234

232

235

<para>

233

Network interface that will be brought up and scanned for

234

Mandos servers to connect to. The default it

235

<quote><literal>eth0</literal></quote>.

236

Comma separated list of network interfaces that will be

237

brought up and scanned for Mandos servers to connect to.

238

The default is the empty string, which will automatically

239

use all appropriate interfaces.

240

</para>

241

<para>

242

If the <option>--connect</option> option is used, and

243

exactly one interface name is specified (except

244

<quote><literal>none</literal></quote>), this specifies

245

the interface to use to connect to the address given.

246

</para>

247

<para>

248

Note that since this program will normally run in the

249

initial RAM disk environment, the interface must be an

250

interface which exists at that stage. Thus, the interface

251

can normally not be a pseudo-interface such as

252

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

253

will not exist until much later in the boot process, and

254

can not be used by this program, unless created by a

255

<quote>network hook</quote> — see <xref

256

linkend="network-hooks"/>.

257

</para>

258

<para>

259

<replaceable>NAME</replaceable> can be the string

260

<quote><literal>none</literal></quote>; this will make

261

<command>&COMMANDNAME;</command> not bring up

262

<emphasis>any</emphasis> interfaces specified

263

<emphasis>after</emphasis> this string. This is not

264

recommended, and only meant for advanced users.

236

265

</para>

237

266

</listitem>

238

267

</varlistentry>

244

273

245

274

246

275

<para>

247

OpenPGP public key file name. This will be combined with

248

the directory from the <option>--keydir</option> option to

249

form an absolute file name. The default name is

250

<quote><literal>pubkey.txt</literal></quote>.

276

OpenPGP public key file name. The default name is

277

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

278

></quote>.

251

279

</para>

252

280

</listitem>

253

281

</varlistentry>

254

282

255

283

256

284

<term><option>--seckey=<replaceable

257

285

>FILE</replaceable></option></term>

259

287

260

288

261

289

<para>

262

OpenPGP secret key file name. This will be combined with

263

the directory from the <option>--keydir</option> option to

264

form an absolute file name. The default name is

265

<quote><literal>seckey.txt</literal></quote>.

290

OpenPGP secret key file name. The default name is

291

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

292

></quote>.

266

293

</para>

267

294

</listitem>

268

295

</varlistentry>

271

298

<term><option>--priority=<replaceable

272

299

>STRING</replaceable></option></term>

273

300

274

<xi:include href="mandos-options.xml" xpointer="priority"/>

301

<xi:include href="../mandos-options.xml"

302

xpointer="priority"/>

275

303

</listitem>

276

304

</varlistentry>

277

305

278

306

279

307

<term><option>--dh-bits=<replaceable

280

308

>BITS</replaceable></option></term>

285

313

</para>

286

314

</listitem>

287

315

</varlistentry>

316

317

318

<term><option>--delay=<replaceable

319

>SECONDS</replaceable></option></term>

320

321

<para>

322

After bringing a network interface up, the program waits

323

for the interface to arrive in a <quote>running</quote>

324

state before proceeding. During this time, the kernel log

325

level will be lowered to reduce clutter on the system

326

console, alleviating any other plugins which might be

327

using the system console. This option sets the upper

328

limit of seconds to wait. The default is 2.5 seconds.

329

</para>

330

</listitem>

331

</varlistentry>

332

333

334

<term><option>--retry=<replaceable

335

>SECONDS</replaceable></option></term>

336

337

<para>

338

All Mandos servers are tried repeatedly until a password

339

is received. This value specifies, in seconds, how long

340

between each successive try <emphasis>for the same

341

server</emphasis>. The default is 10 seconds.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

<term><option>--network-hook-dir=<replaceable

348

>DIR</replaceable></option></term>

349

350

<para>

351

Network hook directory. The default directory is

352

<quote><filename class="directory"

353

>/lib/mandos/network-hooks.d</filename></quote>.

354

</para>

355

</listitem>

356

</varlistentry>

288

357

289

358

290

359

<term><option>--debug</option></term>

320

389

</para>

321

390

</listitem>

322

391

</varlistentry>

323

392

324

393

325

394

<term><option>--version</option></term>

326

395

332

401

</varlistentry>

333

402

</variablelist>

334

403

</refsect1>

335

404

405

406

<title>OVERVIEW</title>

407

<xi:include href="../overview.xml"/>

408

<para>

409

This program is the client part. It is a plugin started by

410

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

411

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

412

an initial <acronym>RAM</acronym> disk environment.

413

</para>

414

<para>

415

This program could, theoretically, be used as a keyscript in

416

<filename>/etc/crypttab</filename>, but it would then be

417

impossible to enter a password for the encrypted root disk at

418

the console, since this program does not read from the console

419

at all. This is why a separate plugin runner (<citerefentry>

420

<refentrytitle>plugin-runner</refentrytitle>

421

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

422

both this program and others in in parallel,

423

<emphasis>one</emphasis> of which (<citerefentry>

424

<refentrytitle>password-prompt</refentrytitle>

425

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

426

passwords on the system console.

427

</para>

428

</refsect1>

429

336

430

337

431

<title>EXIT STATUS</title>

338

432

<para>

340

434

server could be found and the password received from it could be

341

435

successfully decrypted and output on standard output. The

342

436

program will exit with a non-zero exit status only if a critical

343

error occurs. Otherwise, it will forever connect to new

344

<application>Mandosservers</application> servers as they appear,

345

trying to get a decryptable password.

346

</para>

347

</refsect1>

348

349

350

437

error occurs. Otherwise, it will forever connect to any

438

discovered <application>Mandos</application> servers, trying to

439

get a decryptable password and print it.

440

</para>

441

</refsect1>

442

443

444

<title>ENVIRONMENT</title>

445

<para>

446

This program does not use any environment variables, not even

447

the ones provided by <citerefentry><refentrytitle

448

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

449

</citerefentry>.

450

</para>

451

</refsect1>

452

453

454

<title>NETWORK HOOKS</title>

455

<para>

456

If a network interface like a bridge or tunnel is required to

457

find a Mandos server, this requires the interface to be up and

458

running before <command>&COMMANDNAME;</command> starts looking

459

for Mandos servers. This can be accomplished by creating a

460

<quote>network hook</quote> program, and placing it in a special

461

directory.

462

</para>

463

<para>

464

Before the network is used (and again before program exit), any

465

runnable programs found in the network hook directory are run

466

with the argument <quote><literal>start</literal></quote> or

467

<quote><literal>stop</literal></quote>. This should bring up or

468

down, respectively, any network interface which

469

<command>&COMMANDNAME;</command> should use.

470

</para>

471

472

<title>REQUIREMENTS</title>

473

<para>

474

A network hook must be an executable file, and its name must

475

consist entirely of upper and lower case letters, digits,

476

underscores, periods, and hyphens.

477

</para>

478

<para>

479

A network hook will receive one argument, which can be one of

480

the following:

481

</para>

482

483

484

<term><literal>start</literal></term>

485

486

<para>

487

This should make the network hook create (if necessary)

488

and bring up a network interface.

489

</para>

490

</listitem>

491

</varlistentry>

492

493

494

495

<para>

496

This should make the network hook take down a network

497

interface, and delete it if it did not exist previously.

498

</para>

499

</listitem>

500

</varlistentry>

501

502

<term><literal>files</literal></term>

503

504

<para>

505

This should make the network hook print, <emphasis>one

506

file per line</emphasis>, all the files needed for it to

507

run. (These files will be copied into the initial RAM

508

filesystem.) Typical use is for a network hook which is

509

a shell script to print its needed binaries.

510

</para>

511

<para>

512

It is not necessary to print any non-executable files

513

already in the network hook directory, these will be

514

copied implicitly if they otherwise satisfy the name

515

requirements.

516

</para>

517

</listitem>

518

</varlistentry>

519

520

<term><literal>modules</literal></term>

521

522

<para>

523

This should make the network hook print, <emphasis>on

524

separate lines</emphasis>, all the kernel modules needed

525

for it to run. (These modules will be copied into the

526

initial RAM filesystem.) For instance, a tunnel

527

interface needs the

528

<quote><literal>tun</literal></quote> module.

529

</para>

530

</listitem>

531

</varlistentry>

532

</variablelist>

533

<para>

534

The network hook will be provided with a number of environment

535

variables:

536

</para>

537

538

539

<term><envar>MANDOSNETHOOKDIR</envar></term>

540

541

<para>

542

The network hook directory, specified to

543

<command>&COMMANDNAME;</command> by the

544

<option>--network-hook-dir</option> option. Note: this

545

should <emphasis>always</emphasis> be used by the

546

network hook to refer to itself or any files in the hook

547

directory it may require.

548

</para>

549

</listitem>

550

</varlistentry>

551

552

<term><envar>DEVICE</envar></term>

553

554

<para>

555

The network interfaces, as specified to

556

<command>&COMMANDNAME;</command> by the

557

<option>--interface</option> option, combined to one

558

string and separated by commas. If this is set, and

559

does not contain the interface a hook will bring up,

560

there is no reason for a hook to continue.

561

</para>

562

</listitem>

563

</varlistentry>

564

565

566

567

<para>

568

This will be the same as the first argument;

569

i.e. <quote><literal>start</literal></quote>,

570

<quote><literal>stop</literal></quote>,

571

<quote><literal>files</literal></quote>, or

572

<quote><literal>modules</literal></quote>.

573

</para>

574

</listitem>

575

</varlistentry>

576

577

<term><envar>VERBOSITY</envar></term>

578

579

<para>

580

This will be the <quote><literal>1</literal></quote> if

581

the <option>--debug</option> option is passed to

582

<command>&COMMANDNAME;</command>, otherwise

583

<quote><literal>0</literal></quote>.

584

</para>

585

</listitem>

586

</varlistentry>

587

588

<term><envar>DELAY</envar></term>

589

590

<para>

591

This will be the same as the <option>--delay</option>

592

option passed to <command>&COMMANDNAME;</command>. Is

593

only set if <envar>MODE</envar> is

594

<quote><literal>start</literal></quote> or

595

<quote><literal>stop</literal></quote>.

596

</para>

597

</listitem>

598

</varlistentry>

599

600

<term><envar>CONNECT</envar></term>

601

602

<para>

603

This will be the same as the <option>--connect</option>

604

option passed to <command>&COMMANDNAME;</command>. Is

605

only set if <option>--connect</option> is passed and

606

<envar>MODE</envar> is

607

<quote><literal>start</literal></quote> or

608

<quote><literal>stop</literal></quote>.

609

</para>

610

</listitem>

611

</varlistentry>

612

</variablelist>

613

<para>

614

A hook may not read from standard input, and should be

615

restrictive in printing to standard output or standard error

616

unless <varname>VERBOSITY</varname> is

617

<quote><literal>1</literal></quote>.

618

</para>

619

</refsect2>

620

</refsect1>

621

622

623

<title>FILES</title>

624

625

626

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

627

></term>

628

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

629

></term>

630

631

<para>

632

OpenPGP public and private key files, in <quote>ASCII

633

Armor</quote> format. These are the default file names,

634

they can be changed with the <option>--pubkey</option> and

635

<option>--seckey</option> options.

636

</para>

637

</listitem>

638

</varlistentry>

639

640

<term><filename

641

class="directory">/lib/mandos/network-hooks.d</filename></term>

642

643

<para>

644

Directory where network hooks are located. Change this

645

with the <option>--network-hook-dir</option> option. See

646

<xref linkend="network-hooks"/>.

647

</para>

648

</listitem>

649

</varlistentry>

650

</variablelist>

651

</refsect1>

652

653

654

351

655

352

353

656

354

657

355

658

356

357

<title>FILES</title>

358

<para>

359

</para>

360

</refsect1>

361

362

363

364

<para>

365

</para>

366

</refsect1>

367

368

659

369

660

<title>EXAMPLE</title>

370

661

<para>

662

Note that normally, command line options will not be given

663

directly, but via options for the Mandos <citerefentry

664

><refentrytitle>plugin-runner</refentrytitle>

665

<manvolnum>8mandos</manvolnum></citerefentry>.

371

666

</para>

667

668

<para>

669

Normal invocation needs no options, if the network interface

670

can be automatically determined:

671

</para>

672

<para>

673

<userinput>&COMMANDNAME;</userinput>

674

</para>

675

</informalexample>

676

677

<para>

678

Search for Mandos servers (and connect to them) using another

679

interface:

680

</para>

681

<para>

682

683

<userinput>&COMMANDNAME; --interface eth1</userinput>

684

</para>

685

</informalexample>

686

687

<para>

688

Run in debug mode, and use a custom key:

689

</para>

690

<para>

691

692

693

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

694

695

</para>

696

</informalexample>

697

698

<para>

699

Run in debug mode, with a custom key, and do not use Zeroconf

700

to locate a server; connect directly to the IPv6 link-local

701

address <quote><systemitem class="ipaddress"

702

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

703

using interface eth2:

704

</para>

705

<para>

706

707

708

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

709

710

</para>

711

</informalexample>

372

712

</refsect1>

373

713

374

714

375

715

<title>SECURITY</title>

376

716

<para>

717

This program is set-uid to root, but will switch back to the

718

original (and presumably non-privileged) user and group after

719

bringing up the network interface.

720

</para>

721

<para>

722

To use this program for its intended purpose (see <xref

723

linkend="purpose"/>), the password for the root file system will

724

have to be given out to be stored in a server computer, after

725

having been encrypted using an OpenPGP key. This encrypted data

726

which will be stored in a server can only be decrypted by the

727

OpenPGP key, and the data will only be given out to those

728

clients who can prove they actually have that key. This key,

729

however, is stored unencrypted on the client side in its initial

730

<acronym>RAM</acronym> disk image file system. This is normally

731

readable by all, but this is normally fixed during installation

732

of this program; file permissions are set so that no-one is able

733

to read that file.

734

</para>

735

<para>

736

The only remaining weak point is that someone with physical

737

access to the client hard drive might turn off the client

738

computer, read the OpenPGP keys directly from the hard drive,

739

and communicate with the server. To safeguard against this, the

740

server is supposed to notice the client disappearing and stop

741

giving out the encrypted data. Therefore, it is important to

742

set the timeout and checker interval values tightly on the

743

server. See <citerefentry><refentrytitle

744

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

745

</para>

746

<para>

747

It will also help if the checker program on the server is

748

configured to request something from the client which can not be

749

spoofed by someone else on the network, unlike unencrypted

750

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

751

</para>

752

<para>

753

<emphasis>Note</emphasis>: This makes it completely insecure to

754

have <application >Mandos</application> clients which dual-boot

755

to another operating system which is <emphasis>not</emphasis>

756

trusted to keep the initial <acronym>RAM</acronym> disk image

757

confidential.

377

758

</para>

378

759

</refsect1>

379

760

380

761

381

762

382

763

<para>

764

<citerefentry><refentrytitle>intro</refentrytitle>

765

<manvolnum>8mandos</manvolnum></citerefentry>,

766

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

767

<manvolnum>8</manvolnum></citerefentry>,

768

<citerefentry><refentrytitle>crypttab</refentrytitle>

769

<manvolnum>5</manvolnum></citerefentry>,

383

770

<citerefentry><refentrytitle>mandos</refentrytitle>

384

771

<manvolnum>8</manvolnum></citerefentry>,

385

772

<citerefentry><refentrytitle>password-prompt</refentrytitle>

387

774

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

388

775

<manvolnum>8mandos</manvolnum></citerefentry>

389

776

</para>

390

391

392

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

393

</para></listitem>

394

395

396

<ulink url="http://www.avahi.org/">Avahi</ulink>

397

</para></listitem>

398

399

400

<ulink

401

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

402

</para></listitem>

403

404

405

<ulink

406

url="http://www.gnupg.org/related_software/gpgme/">

407

GPGME</ulink>

408

</para></listitem>

409

410

411

<citation>RFC 4880: <citetitle>OpenPGP Message

412

Format</citetitle></citation>

413

</para></listitem>

414

415

416

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

417

Transport Layer Security</citetitle></citation>

418

</para></listitem>

419

420

421

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

422

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

423

Unicast Addresses</citation>

424

</para></listitem>

425

</itemizedlist>

777

778

779

<term>

780

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

781

</term>

782

783

<para>

784

Zeroconf is the network protocol standard used for finding

785

Mandos servers on the local network.

786

</para>

787

</listitem>

788

</varlistentry>

789

790

<term>

791

<ulink url="http://www.avahi.org/">Avahi</ulink>

792

</term>

793

794

<para>

795

Avahi is the library this program calls to find Zeroconf

796

services.

797

</para>

798

</listitem>

799

</varlistentry>

800

801

<term>

802

<ulink url="http://www.gnu.org/software/gnutls/"

803

>GnuTLS</ulink>

804

</term>

805

806

<para>

807

GnuTLS is the library this client uses to implement TLS for

808

communicating securely with the server, and at the same time

809

send the public OpenPGP key to the server.

810

</para>

811

</listitem>

812

</varlistentry>

813

814

<term>

815

<ulink url="http://www.gnupg.org/related_software/gpgme/"

816

>GPGME</ulink>

817

</term>

818

819

<para>

820

GPGME is the library used to decrypt the OpenPGP data sent

821

by the server.

822

</para>

823

</listitem>

824

</varlistentry>

825

826

<term>

827

RFC 4291: <citetitle>IP Version 6 Addressing

828

Architecture</citetitle>

829

</term>

830

831

832

833

<term>Section 2.2: <citetitle>Text Representation of

834

Addresses</citetitle></term>

835

836

</varlistentry>

837

838

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

839

Address</citetitle></term>

840

841

</varlistentry>

842

843

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

844

Addresses</citetitle></term>

845

846

<para>

847

This client uses IPv6 link-local addresses, which are

848

immediately usable since a link-local addresses is

849

automatically assigned to a network interface when it

850

is brought up.

851

</para>

852

</listitem>

853

</varlistentry>

854

</variablelist>

855

</listitem>

856

</varlistentry>

857

858

<term>

859

RFC 4346: <citetitle>The Transport Layer Security (TLS)

860

Protocol Version 1.1</citetitle>

861

</term>

862

863

<para>

864

TLS 1.1 is the protocol implemented by GnuTLS.

865

</para>

866

</listitem>

867

</varlistentry>

868

869

<term>

870

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

871

</term>

872

873

<para>

874

The data received from the server is binary encrypted

875

OpenPGP data.

876

</para>

877

</listitem>

878

</varlistentry>

879

880

<term>

881

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

882

Security</citetitle>

883

</term>

884

885

<para>

886

This is implemented by GnuTLS and used by this program so

887

that OpenPGP keys can be used.

888

</para>

889

</listitem>

890

</varlistentry>

891

</variablelist>

426

892

</refsect1>

427

428

893

</refentry>

894

429

895

430

896

431

897

Older »