/mandos/trunk : revision 631

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2013-10-22 19:24:01 UTC
Revision ID: teddy@recompile.se-20131022192401-op6mwsb7f7gygjyh

http://bugs.debian.org/702120

* mandos (priority): Bug fix: Add even more magic to make the old
DSA/ELG 2048-bit keys work with GnuTLS.
* mandos-keygen (KEYCOMMENT): Changed default to "".
* mandos-keygen (OPTIONS): Document new default value of "--comment".
* mandos-options.xml (priority): Document new default value.
* mandos.conf (priority): - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-change-keytype

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2013-10-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Sends encrypted passwords to authenticated Mandos clients

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice='opt'>--interface<arg choice='plain'>IF</arg></arg>

<arg choice='opt'>--address<arg choice='plain'>ADDRESS</arg></arg>

<arg choice='opt'>--priority<arg choice='plain'>PRIORITY</arg></arg>

<arg choice='opt'>--servicename<arg choice='plain'>NAME</arg></arg>

<arg choice='opt'>--configdir<arg choice='plain'>DIRECTORY</arg></arg>

<arg choice='opt'>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='opt'>-a<arg choice='plain'>ADDRESS</arg></arg>

<arg choice='opt'>--priority<arg choice='plain'>PRIORITY</arg></arg>

<arg choice='opt'>--servicename<arg choice='plain'>NAME</arg></arg>

<arg choice='opt'>--configdir<arg choice='plain'>DIRECTORY</arg></arg>

<arg choice='opt'>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

100

<command>&COMMANDNAME;</command>

101

<arg choice='plain'>--version</arg>

102

</cmdsynopsis>

103

104

<command>&COMMANDNAME;</command>

105

<arg choice='plain'>--check</arg>

106

</cmdsynopsis>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

100

<arg><option>--no-restore</option></arg>

101

<sbr/>

102

<arg><option>--statedir

103

<replaceable>DIRECTORY</replaceable></option></arg>

104

<sbr/>

105

<arg><option>--socket

106

107

<sbr/>

108

<arg><option>--foreground</option></arg>

109

</cmdsynopsis>

110

111

<command>&COMMANDNAME;</command>

112

113

114

115

</group>

116

</cmdsynopsis>

117

118

<command>&COMMANDNAME;</command>

119

<arg choice="plain"><option>--version</option></arg>

120

</cmdsynopsis>

121

122

<command>&COMMANDNAME;</command>

123

<arg choice="plain"><option>--check</option></arg>

124

</cmdsynopsis>

107

125

</refsynopsisdiv>

108

126

109

127

110

128

<title>DESCRIPTION</title>

111

129

<para>

112

130

<command>&COMMANDNAME;</command> is a server daemon which

113

131

handles incoming request for passwords for a pre-defined list of

114

client host computers. The Mandos server uses Zeroconf to

115

announce itself on the local network, and uses GnuTLS to

116

communicate securely with and to authenticate the clients.

117

Mandos uses IPv6 link-local addresses, since the clients are

118

assumed to not have any other addresses configured yet. Any

119

authenticated client is then given the pre-encrypted password

120

for that specific client.

132

client host computers. For an introduction, see

133

<citerefentry><refentrytitle>intro</refentrytitle>

134

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

135

uses Zeroconf to announce itself on the local network, and uses

136

TLS to communicate securely with and to authenticate the

137

clients. The Mandos server uses IPv6 to allow Mandos clients to

138

use IPv6 link-local addresses, since the clients will probably

139

not have any other addresses configured (see <xref

140

linkend="overview"/>). Any authenticated client is then given

141

the stored pre-encrypted password for that specific client.

121

142

</para>

122

123

</refsect1>

143

</refsect1>

124

144

125

145

126

146

<title>PURPOSE</title>

127

128

147

<para>

129

148

The purpose of this is to enable <emphasis>remote and unattended

130

rebooting</emphasis> of any client host computer with an

131

<emphasis>encrypted root file system</emphasis>. The client

132

host computer should start a Mandos client in the initial RAM

133

disk environment, the Mandos client program communicates with

134

this server program to get an encrypted password, which is then

135

decrypted and used to unlock the encrypted root file system.

136

The client host computer can then continue its boot sequence

137

normally.

149

rebooting</emphasis> of client host computer with an

150

<emphasis>encrypted root file system</emphasis>. See <xref

151

linkend="overview"/> for details.

138

152

</para>

139

140

</refsect1>

153

</refsect1>

141

154

142

155

143

156

<title>OPTIONS</title>

144

145

157

146

158

147

159

160

148

161

149

162

<para>

150

163

Show a help message and exit

151

164

</para>

152

165

</listitem>

153

166

</varlistentry>

154

155

156

<term><literal>-i</literal>, <literal>--interface <replaceable>

157

IF</replaceable></literal></term>

158

159

<para>

160

Only announce the server and listen to requests on network

161

interface <replaceable>IF</replaceable>. Default is to

162

use all available interfaces.

163

</para>

164

</listitem>

165

</varlistentry>

166

167

168

<term><literal>-a</literal>, <literal>--address <replaceable>

169

ADDRESS</replaceable></literal></term>

170

171

<para>

172

If this option is used, the server will only listen to a

173

specific address. This must currently be an IPv6 address;

174

an IPv4 address can be specified using the

175

"<literal>::FFFF:192.0.2.3</literal>" syntax. Also, if a

176

link-local address is specified, an interface should be

177

set, since a link-local address is only valid on a single

178

interface. By default, the server will listen to all

179

available addresses.

180

</para>

181

</listitem>

182

</varlistentry>

183

184

185

186

PORT</replaceable></literal></term>

187

188

<para>

189

If this option is used, the server to bind to that

190

port. By default, the server will listen to an arbitrary

191

port given by the operating system.

192

</para>

193

</listitem>

194

</varlistentry>

195

196

197

<term><literal>--check</literal></term>

198

199

<para>

200

Run the server's self-tests. This includes any unit

167

168

169

<term><option>--interface</option>

170

171

172

173

174

<xi:include href="mandos-options.xml" xpointer="interface"/>

175

</listitem>

176

</varlistentry>

177

178

179

<term><option>--address

180

<replaceable>ADDRESS</replaceable></option></term>

181

<term><option>-a

182

<replaceable>ADDRESS</replaceable></option></term>

183

184

<xi:include href="mandos-options.xml" xpointer="address"/>

185

</listitem>

186

</varlistentry>

187

188

189

<term><option>--port

190

191

<term><option>-p

192

193

194

<xi:include href="mandos-options.xml" xpointer="port"/>

195

</listitem>

196

</varlistentry>

197

198

199

<term><option>--check</option></term>

200

201

<para>

202

Run the server’s self-tests. This includes any unit

201

203

tests, etc.

202

204

</para>

203

205

</listitem>

204

</varlistentry>

205

206

207

<term><literal>--debug</literal></term>

208

209

<para>

210

If the server is run in debug mode, it will run in the

211

foreground and print a lot of debugging information. The

212

default is <emphasis>not</emphasis> to run in debug mode.

213

</para>

214

</listitem>

215

</varlistentry>

216

217

218

<term><literal>--priority <replaceable>

219

PRIORITY</replaceable></literal></term>

220

221

<para>

222

GnuTLS priority string for the TLS handshake with the

223

clients. See

224

<citerefentry><refentrytitle>gnutls_priority_init

225

</refentrytitle><manvolnum>3</manvolnum></citerefentry>

226

for the syntax. The default is

227

"<literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal>".

228

<emphasis>Warning</emphasis>: changing this may make the

229

TLS handshake fail, making communication with clients

230

impossible.

231

</para>

232

</listitem>

233

</varlistentry>

234

235

236

<term><literal>--servicename <replaceable>NAME</replaceable>

237

</literal></term>

238

239

<para>

240

Zeroconf service name. The default is

241

"<literal>Mandos</literal>". You only need to change this

242

if you for some reason want to run more than one server on

243

the same <emphasis>host</emphasis>. If there are name

244

collisions on the same <emphasis>network</emphasis>, the

245

new server will automatically rename itself to "Mandos

246

#2", etc.

247

</para>

248

</listitem>

249

</varlistentry>

250

251

252

<term><literal>--configdir <replaceable>DIR</replaceable>

253

</literal></term>

206

</varlistentry>

207

208

209

<term><option>--debug</option></term>

210

211

<xi:include href="mandos-options.xml" xpointer="debug"/>

212

</listitem>

213

</varlistentry>

214

215

216

<term><option>--debuglevel

217

<replaceable>LEVEL</replaceable></option></term>

218

219

<para>

220

Set the debugging log level.

221

<replaceable>LEVEL</replaceable> is a string, one of

222

<quote><literal>CRITICAL</literal></quote>,

223

<quote><literal>ERROR</literal></quote>,

224

<quote><literal>WARNING</literal></quote>,

225

<quote><literal>INFO</literal></quote>, or

226

<quote><literal>DEBUG</literal></quote>, in order of

227

increasing verbosity. The default level is

228

<quote><literal>WARNING</literal></quote>.

229

</para>

230

</listitem>

231

</varlistentry>

232

233

234

<term><option>--priority <replaceable>

235

PRIORITY</replaceable></option></term>

236

237

<xi:include href="mandos-options.xml" xpointer="priority"/>

238

</listitem>

239

</varlistentry>

240

241

242

<term><option>--servicename

243

244

245

<xi:include href="mandos-options.xml"

246

xpointer="servicename"/>

247

</listitem>

248

</varlistentry>

249

250

251

<term><option>--configdir

252

<replaceable>DIRECTORY</replaceable></option></term>

254

253

255

254

<para>

256

255

Directory to search for configuration files. Default is

257

"<literal>/etc/mandos</literal>". See <citerefentry>

258

<refentrytitle>mandos.conf</refentrytitle>

256

<quote><literal>/etc/mandos</literal></quote>. See

257

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

259

258

260

259

<refentrytitle>mandos-clients.conf</refentrytitle>

261

260

<manvolnum>5</manvolnum></citerefentry>.

262

261

</para>

263

262

</listitem>

264

263

</varlistentry>

265

264

266

265

267

<term><literal>--version</literal></term>

266

<term><option>--version</option></term>

268

267

269

268

<para>

270

269

Prints the program version and exit.

271

270

</para>

272

271

</listitem>

273

</varlistentry>

272

</varlistentry>

273

274

275

276

277

<xi:include href="mandos-options.xml" xpointer="dbus"/>

278

<para>

279

See also <xref linkend="dbus_interface"/>.

280

</para>

281

</listitem>

282

</varlistentry>

283

284

285

286

287

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--no-restore</option></term>

293

294

<xi:include href="mandos-options.xml" xpointer="restore"/>

295

<para>

296

See also <xref linkend="persistent_state"/>.

297

</para>

298

</listitem>

299

</varlistentry>

300

301

302

<term><option>--statedir

303

<replaceable>DIRECTORY</replaceable></option></term>

304

305

<xi:include href="mandos-options.xml" xpointer="statedir"/>

306

</listitem>

307

</varlistentry>

308

309

310

<term><option>--socket

311

312

313

<xi:include href="mandos-options.xml" xpointer="socket"/>

314

</listitem>

315

</varlistentry>

316

317

318

<term><option>--foreground</option></term>

319

320

<xi:include href="mandos-options.xml"

321

xpointer="foreground"/>

322

</listitem>

323

</varlistentry>

324

274

325

</variablelist>

275

326

</refsect1>

276

327

328

329

<title>OVERVIEW</title>

330

<xi:include href="overview.xml"/>

331

<para>

332

This program is the server part. It is a normal server program

333

and will run in a normal system environment, not in an initial

334

<acronym>RAM</acronym> disk environment.

335

</para>

336

</refsect1>

337

277

338

278

339

<title>NETWORK PROTOCOL</title>

279

340

<para>

280

341

The Mandos server announces itself as a Zeroconf service of type

281

"<literal>_mandos._tcp</literal>". The Mandos client connects

282

to the announced address and port, and sends a line of text

283

where the first whitespace-separated field is the protocol

284

version, which currently is "<literal>1</literal>". The client

285

and server then start a TLS protocol handshake with a slight

286

quirk: the Mandos server program acts as a TLS "client" while

287

the connecting Mandos client acts as a TLS "server". The Mandos

288

client must supply an OpenPGP certificate, and the fingerprint

289

of this certificate is used by the Mandos server to look up (in

290

a list read from a file at start time) which binary blob to give

291

the client. No other authentication or authorization is done by

292

the server.

342

<quote><literal>_mandos._tcp</literal></quote>. The Mandos

343

client connects to the announced address and port, and sends a

344

line of text where the first whitespace-separated field is the

345

protocol version, which currently is

346

<quote><literal>1</literal></quote>. The client and server then

347

start a TLS protocol handshake with a slight quirk: the Mandos

348

server program acts as a TLS <quote>client</quote> while the

349

connecting Mandos client acts as a TLS <quote>server</quote>.

350

The Mandos client must supply an OpenPGP certificate, and the

351

fingerprint of this certificate is used by the Mandos server to

352

look up (in a list read from <filename>clients.conf</filename>

353

at start time) which binary blob to give the client. No other

354

authentication or authorization is done by the server.

293

355

</para>

294

356

<table>

357

<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>

295

358

<row>

296

359

<entry>Mandos Client</entry>

297

360

<entry>Direction</entry>

303

366

304

367

</row>

305

368

<row>

306

369

307

370

308

371

</row>

309

372

<row>

310

<entry>TLS handshake</entry>

373

<entry>TLS handshake <emphasis>as TLS <quote>server</quote>

374

</emphasis></entry>

311

375

312

<entry>TLS handshake</entry>

376

<entry>TLS handshake <emphasis>as TLS <quote>client</quote>

377

</emphasis></entry>

313

378

</row>

314

379

<row>

315

380

<entry>OpenPGP public key (part of TLS handshake)</entry>

318

383

<row>

319

384

320

385

321

<entry>Binary blob</entry>

386

<entry>Binary blob (client will assume OpenPGP data)</entry>

322

387

</row>

323

388

<row>

324

389

325

390

326

391

<entry>Close</entry>

327

392

</row>

328

</tbody></tgroup></informaltable>

329

</refsect1>

330

393

</tbody></tgroup></table>

394

</refsect1>

395

396

397

<title>CHECKING</title>

398

<para>

399

The server will, by default, continually check that the clients

400

are still up. If a client has not been confirmed as being up

401

for some time, the client is assumed to be compromised and is no

402

longer eligible to receive the encrypted password. (Manual

403

intervention is required to re-enable a client.) The timeout,

404

extended timeout, checker program, and interval between checks

405

can be configured both globally and per client; see

406

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

407

<manvolnum>5</manvolnum></citerefentry>.

408

</para>

409

</refsect1>

410

411

412

<title>APPROVAL</title>

413

<para>

414

The server can be configured to require manual approval for a

415

client before it is sent its secret. The delay to wait for such

416

approval and the default action (approve or deny) can be

417

configured both globally and per client; see <citerefentry>

418

<refentrytitle>mandos-clients.conf</refentrytitle>

419

<manvolnum>5</manvolnum></citerefentry>. By default all clients

420

will be approved immediately without delay.

421

</para>

422

<para>

423

This can be used to deny a client its secret if not manually

424

approved within a specified time. It can also be used to make

425

the server delay before giving a client its secret, allowing

426

optional manual denying of this specific client.

427

</para>

428

429

</refsect1>

430

331

431

332

432

<title>LOGGING</title>

333

433

<para>

334

The server will log a lot of information with various severity

335

levels to

336

<citerefentry><refentrytitle>syslog</refentrytitle>

337

<manvolnum>8</manvolnum></citerefentry>. With the

434

The server will send log message with various severity levels to

435

<filename class="devicefile">/dev/log</filename>. With the

338

436

<option>--debug</option> option, it will log even more messages,

339

437

and also show them on the console.

340

438

</para>

341

439

</refsect1>

342

440

441

442

<title>PERSISTENT STATE</title>

443

<para>

444

Client settings, initially read from

445

<filename>clients.conf</filename>, are persistent across

446

restarts, and run-time changes will override settings in

447

<filename>clients.conf</filename>. However, if a setting is

448

<emphasis>changed</emphasis> (or a client added, or removed) in

449

<filename>clients.conf</filename>, this will take precedence.

450

</para>

451

</refsect1>

452

453

454

<title>D-BUS INTERFACE</title>

455

<para>

456

The server will by default provide a D-Bus system bus interface.

457

This interface will only be accessible by the root user or a

458

Mandos-specific user, if such a user exists. For documentation

459

of the D-Bus API, see the file <filename>DBUS-API</filename>.

460

</para>

461

</refsect1>

462

343

463

344

464

<title>EXIT STATUS</title>

345

465

<para>

347

467

critical error is encountered.

348

468

</para>

349

469

</refsect1>

350

351

470

471

472

<title>ENVIRONMENT</title>

473

474

475

476

477

<para>

478

To start the configured checker (see <xref

479

linkend="checking"/>), the server uses

480

<filename>/bin/sh</filename>, which in turn uses

481

<varname>PATH</varname> to search for matching commands if

482

an absolute path is not given. See <citerefentry>

483

484

</citerefentry>.

485

</para>

486

</listitem>

487

</varlistentry>

488

</variablelist>

489

</refsect1>

490

491

352

492

<title>FILES</title>

353

493

<para>

354

355

356

<filename>/etc/mandos/mandos.conf</filename> See <citerefentry>

357

<refentrytitle>mandos.conf</refentrytitle>

358

<manvolnum>5</manvolnum></citerefentry>.

359

</para></listitem>

360

361

<filename>/etc/mandos/clients.conf</filename> See <citerefentry>

494

Use the <option>--configdir</option> option to change where

495

<command>&COMMANDNAME;</command> looks for its configurations

496

files. The default file names are listed here.

497

</para>

498

499

500

<term><filename>/etc/mandos/mandos.conf</filename></term>

501

502

<para>

503

Server-global settings. See

504

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

505

<manvolnum>5</manvolnum></citerefentry> for details.

506

</para>

507

</listitem>

508

</varlistentry>

509

510

<term><filename>/etc/mandos/clients.conf</filename></term>

511

512

<para>

513

List of clients and client-specific settings. See

514

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

515

<manvolnum>5</manvolnum></citerefentry> for details.

516

</para>

517

</listitem>

518

</varlistentry>

519

520

<term><filename>/run/mandos.pid</filename></term>

521

522

<para>

523

The file containing the process id of the

524

<command>&COMMANDNAME;</command> process started last.

525

</para>

526

</listitem>

527

</varlistentry>

528

529

530

</varlistentry>

531

532

<term><filename

533

class="directory">/var/lib/mandos</filename></term>

534

535

<para>

536

Directory where persistent state will be saved. Change

537

this with the <option>--statedir</option> option. See

538

also the <option>--no-restore</option> option.

539

</para>

540

</listitem>

541

</varlistentry>

542

543

544

545

<para>

546

The Unix domain socket to where local syslog messages are

547

sent.

548

</para>

549

</listitem>

550

</varlistentry>

551

552

553

554

<para>

555

This is used to start the configured checker command for

556

each client. See <citerefentry>

362

557

<refentrytitle>mandos-clients.conf</refentrytitle>

363

<manvolnum>5</manvolnum></citerefentry>.

364

</para></listitem>

365

366

<filename>/var/run/mandos/mandos.pid</filename>

367

</para></listitem>

368

</itemizedlist>

369

</para>

370

</refsect1>

371

558

<manvolnum>5</manvolnum></citerefentry> for details.

559

</para>

560

</listitem>

561

</varlistentry>

562

</variablelist>

563

</refsect1>

564

372

565

373

566

374

567

<para>

375

</para>

376

</refsect1>

377

378

379

<title>EXAMPLES</title>

380

<para>

381

</para>

382

</refsect1>

383

568

This server might, on especially fatal errors, emit a Python

569

backtrace. This could be considered a feature.

570

</para>

571

<para>

572

There is no fine-grained control over logging and debug output.

573

</para>

574

<para>

575

This server does not check the expire time of clients’ OpenPGP

576

keys.

577

</para>

578

</refsect1>

579

580

581

<title>EXAMPLE</title>

582

583

<para>

584

Normal invocation needs no options:

585

</para>

586

<para>

587

<userinput>&COMMANDNAME;</userinput>

588

</para>

589

</informalexample>

590

591

<para>

592

Run the server in debug mode, read configuration files from

593

the <filename class="directory">~/mandos</filename> directory,

594

and use the Zeroconf service name <quote>Test</quote> to not

595

collide with any other official Mandos server on this host:

596

</para>

597

<para>

598

599

600

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

601

602

</para>

603

</informalexample>

604

605

<para>

606

Run the server normally, but only listen to one interface and

607

only on the link-local address on that interface:

608

</para>

609

<para>

610

611

612

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

613

614

</para>

615

</informalexample>

616

</refsect1>

617

384

618

385

619

<title>SECURITY</title>

386

<para>

387

</para>

620

621

<title>SERVER</title>

622

<para>

623

Running this <command>&COMMANDNAME;</command> server program

624

should not in itself present any security risk to the host

625

computer running it. The program switches to a non-root user

626

soon after startup.

627

</para>

628

</refsect2>

629

630

<title>CLIENTS</title>

631

<para>

632

The server only gives out its stored data to clients which

633

does have the OpenPGP key of the stored fingerprint. This is

634

guaranteed by the fact that the client sends its OpenPGP

635

public key in the TLS handshake; this ensures it to be

636

genuine. The server computes the fingerprint of the key

637

itself and looks up the fingerprint in its list of

638

clients. The <filename>clients.conf</filename> file (see

639

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

640

<manvolnum>5</manvolnum></citerefentry>)

641

<emphasis>must</emphasis> be made non-readable by anyone

642

except the user starting the server (usually root).

643

</para>

644

<para>

645

As detailed in <xref linkend="checking"/>, the status of all

646

client computers will continually be checked and be assumed

647

compromised if they are gone for too long.

648

</para>

649

<para>

650

For more details on client-side security, see

651

<citerefentry><refentrytitle>mandos-client</refentrytitle>

652

<manvolnum>8mandos</manvolnum></citerefentry>.

653

</para>

654

</refsect2>

388

655

</refsect1>

389

656

390

657

391

658

392

393

394

<citerefentry><refentrytitle>password-request</refentrytitle>

395

<manvolnum>8mandos</manvolnum></citerefentry>

396

</para></listitem>

397

398

399

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

400

<manvolnum>8mandos</manvolnum></citerefentry>

401

</para></listitem>

402

403

404

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

405

</para></listitem>

406

407

408

<ulink url="http://www.avahi.org/">Avahi</ulink>

409

</para></listitem>

410

411

412

<ulink

413

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

414

</para></listitem>

415

416

417

<citation>RFC 4880: <citetitle>OpenPGP Message

418

Format</citetitle></citation>

419

</para></listitem>

420

421

422

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

423

Transport Layer Security</citetitle></citation>

424

</para></listitem>

425

426

427

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

428

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

429

Unicast Addresses</citation>

430

</para></listitem>

431

</itemizedlist>

659

<para>

660

<citerefentry><refentrytitle>intro</refentrytitle>

661

<manvolnum>8mandos</manvolnum></citerefentry>,

662

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

663

<manvolnum>5</manvolnum></citerefentry>,

664

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

665

<manvolnum>5</manvolnum></citerefentry>,

666

<citerefentry><refentrytitle>mandos-client</refentrytitle>

667

<manvolnum>8mandos</manvolnum></citerefentry>,

668

669

670

</para>

671

672

673

<term>

674

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

675

</term>

676

677

<para>

678

Zeroconf is the network protocol standard used by clients

679

for finding this Mandos server on the local network.

680

</para>

681

</listitem>

682

</varlistentry>

683

684

<term>

685

<ulink url="http://www.avahi.org/">Avahi</ulink>

686

</term>

687

688

<para>

689

Avahi is the library this server calls to implement

690

Zeroconf service announcements.

691

</para>

692

</listitem>

693

</varlistentry>

694

695

<term>

696

<ulink url="http://www.gnu.org/software/gnutls/"

697

>GnuTLS</ulink>

698

</term>

699

700

<para>

701

GnuTLS is the library this server uses to implement TLS for

702

communicating securely with the client, and at the same time

703

confidently get the client’s public OpenPGP key.

704

</para>

705

</listitem>

706

</varlistentry>

707

708

<term>

709

RFC 4291: <citetitle>IP Version 6 Addressing

710

Architecture</citetitle>

711

</term>

712

713

714

715

<term>Section 2.2: <citetitle>Text Representation of

716

Addresses</citetitle></term>

717

718

</varlistentry>

719

720

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

721

Address</citetitle></term>

722

723

</varlistentry>

724

725

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

726

Addresses</citetitle></term>

727

728

<para>

729

The clients use IPv6 link-local addresses, which are

730

immediately usable since a link-local addresses is

731

automatically assigned to a network interfaces when it

732

is brought up.

733

</para>

734

</listitem>

735

</varlistentry>

736

</variablelist>

737

</listitem>

738

</varlistentry>

739

740

<term>

741

RFC 4346: <citetitle>The Transport Layer Security (TLS)

742

Protocol Version 1.1</citetitle>

743

</term>

744

745

<para>

746

TLS 1.1 is the protocol implemented by GnuTLS.

747

</para>

748

</listitem>

749

</varlistentry>

750

751

<term>

752

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

753

</term>

754

755

<para>

756

The data sent to clients is binary encrypted OpenPGP data.

757

</para>

758

</listitem>

759

</varlistentry>

760

761

<term>

762

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

763

Security</citetitle>

764

</term>

765

766

<para>

767

This is implemented by GnuTLS and used by this server so

768

that OpenPGP keys can be used.

769

</para>

770

</listitem>

771

</varlistentry>

772

</variablelist>

432

773

</refsect1>

433

774

</refentry>

775

776

777

778

779

Older »