/mandos/trunk : revision 630

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2013-10-20 23:27:38 UTC
Revision ID: teddy@recompile.se-20131020232738-5gjw6auqqxnp4v7t

* mandos (PGPEngine.password_encode): Bug fix: GnuPG can't handle
really long passphrases - encode
those differently.

files added:
initramfs-tools-hook-conf

mandos-change-keytype

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY TIMESTAMP "2013-10-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

112

106

113

107

<sbr/>

114

108

<arg><option>--foreground</option></arg>

115

<sbr/>

116

<arg><option>--no-zeroconf</option></arg>

117

109

</cmdsynopsis>

118

110

119

111

<command>&COMMANDNAME;</command>

330

322

</listitem>

331

323

</varlistentry>

332

324

333

334

<term><option>--no-zeroconf</option></term>

335

336

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

337

</listitem>

338

</varlistentry>

339

340

325

</variablelist>

341

326

</refsect1>

342

327

362

347

start a TLS protocol handshake with a slight quirk: the Mandos

363

348

server program acts as a TLS <quote>client</quote> while the

364

349

connecting Mandos client acts as a TLS <quote>server</quote>.

365

The Mandos client must supply a TLS public key, and the key ID

366

of this public key is used by the Mandos server to look up (in a

367

list read from <filename>clients.conf</filename> at start time)

368

which binary blob to give the client. No other authentication

369

or authorization is done by the server.

350

The Mandos client must supply an OpenPGP certificate, and the

351

fingerprint of this certificate is used by the Mandos server to

352

look up (in a list read from <filename>clients.conf</filename>

353

at start time) which binary blob to give the client. No other

354

authentication or authorization is done by the server.

370

355

</para>

371

356

<table>

372

357

<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>

392

377

</emphasis></entry>

393

378

</row>

394

379

<row>

395

<entry>Public key (part of TLS handshake)</entry>

380

<entry>OpenPGP public key (part of TLS handshake)</entry>

396

381

397

382

</row>

398

383

<row>

537

522

<para>

538

523

The file containing the process id of the

539

524

<command>&COMMANDNAME;</command> process started last.

540

<emphasis >Note:</emphasis> If the <filename

541

class="directory">/run</filename> directory does not

542

exist, <filename>/var/run/mandos.pid</filename> will be

543

used instead.

544

525

</para>

545

526

</listitem>

546

527

</varlistentry>

547

528

529

530

</varlistentry>

531

548

532

<term><filename

549

533

class="directory">/var/lib/mandos</filename></term>

550

534

556

540

</listitem>

557

541

</varlistentry>

558

542

559

543

560

544

561

545

<para>

562

546

The Unix domain socket to where local syslog messages are

587

571

<para>

588

572

There is no fine-grained control over logging and debug output.

589

573

</para>

590

<xi:include href="bugs.xml"/>

574

<para>

575

This server does not check the expire time of clients’ OpenPGP

576

keys.

577

</para>

591

578

</refsect1>

592

579

593

580

643

630

<title>CLIENTS</title>

644

631

<para>

645

632

The server only gives out its stored data to clients which

646

does have the correct key ID of the stored key ID. This is

647

guaranteed by the fact that the client sends its public key in

648

the TLS handshake; this ensures it to be genuine. The server

649

computes the key ID of the key itself and looks up the key ID

650

in its list of clients. The <filename>clients.conf</filename>

651

file (see

633

does have the OpenPGP key of the stored fingerprint. This is

634

guaranteed by the fact that the client sends its OpenPGP

635

public key in the TLS handshake; this ensures it to be

636

genuine. The server computes the fingerprint of the key

637

itself and looks up the fingerprint in its list of

638

clients. The <filename>clients.conf</filename> file (see

652

639

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

653

640

<manvolnum>5</manvolnum></citerefentry>)

654

641

<emphasis>must</emphasis> be made non-readable by anyone

695

682

</varlistentry>

696

683

697

684

<term>

698

<ulink url="https://www.avahi.org/">Avahi</ulink>

685

<ulink url="http://www.avahi.org/">Avahi</ulink>

699

686

</term>

700

687

701

688

<para>

706

693

</varlistentry>

707

694

708

695

<term>

709

<ulink url="https://gnutls.org/">GnuTLS</ulink>

696

<ulink url="http://www.gnu.org/software/gnutls/"

697

>GnuTLS</ulink>

710

698

</term>

711

699

712

700

<para>

713

701

GnuTLS is the library this server uses to implement TLS for

714

702

communicating securely with the client, and at the same time

715

confidently get the client’s public key.

703

confidently get the client’s public OpenPGP key.

716

704

</para>

717

705

</listitem>

718

706

</varlistentry>

750

738

</varlistentry>

751

739

752

740

<term>

753

RFC 5246: <citetitle>The Transport Layer Security (TLS)

754

Protocol Version 1.2</citetitle>

741

RFC 4346: <citetitle>The Transport Layer Security (TLS)

742

Protocol Version 1.1</citetitle>

755

743

</term>

756

744

757

745

<para>

758

TLS 1.2 is the protocol implemented by GnuTLS.

746

TLS 1.1 is the protocol implemented by GnuTLS.

759

747

</para>

760

748

</listitem>

761

749

</varlistentry>

771

759

</varlistentry>

772

760

773

761

<term>

774

RFC 7250: <citetitle>Using Raw Public Keys in Transport

775

Layer Security (TLS) and Datagram Transport Layer Security

776

(DTLS)</citetitle>

777

</term>

778

779

<para>

780

This is implemented by GnuTLS version 3.6.6 and is, if

781

present, used by this server so that raw public keys can be

782

used.

783

</para>

784

</listitem>

785

</varlistentry>

786

787

<term>

788

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

789

Security (TLS) Authentication</citetitle>

790

</term>

791

792

<para>

793

This is implemented by GnuTLS before version 3.6.0 and is,

794

if present, used by this server so that OpenPGP keys can be

795

used.

762

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

763

Security</citetitle>

764

</term>

765

766

<para>

767

This is implemented by GnuTLS and used by this server so

768

that OpenPGP keys can be used.

796

769

</para>

797

770

</listitem>

798

771

</varlistentry>

Older »