/mandos/trunk : revision 663

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2014-03-01 09:51:07 UTC
Revision ID: teddy@recompile.se-20140301095107-wfcwbmol2a71d3xz

* mandos-keygen (keygen): Add workaround for Debian bug #737128.

files added:
debian/upstream-signing-key.pgp

initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/tests

debian/tests/control

debian/upstream

debian/upstream/signing-key.asc

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY TIMESTAMP "2014-03-01">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

100

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

101

<option>--delay <replaceable>SECONDS</replaceable></option>

127

102

</arg>

128

103

<sbr/>

169

144

brings up network interfaces, uses the interfaces’ IPv6

170

145

link-local addresses to get network connectivity, uses Zeroconf

171

146

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

147

servers using TLS with an OpenPGP key to ensure authenticity and

148

confidentiality. This client program keeps running, trying all

149

servers on the network, until it receives a satisfactory reply

150

or a TERM signal. After all servers have been tried, all

176

151

servers are periodically retried. If no servers are found it

177

152

will wait indefinitely for new servers to appear.

178

153

</para>

286

261

<para>

287

262

<replaceable>NAME</replaceable> can be the string

288

263

<quote><literal>none</literal></quote>; this will make

289

<command>&COMMANDNAME;</command> only bring up interfaces

290

specified <emphasis>before</emphasis> this string. This

291

is not recommended, and only meant for advanced users.

264

<command>&COMMANDNAME;</command> not bring up

265

<emphasis>any</emphasis> interfaces specified

266

<emphasis>after</emphasis> this string. This is not

267

recommended, and only meant for advanced users.

292

268

</para>

293

269

</listitem>

294

270

</varlistentry>

322

298

</varlistentry>

323

299

324

300

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

353

301

<term><option>--priority=<replaceable

354

302

>STRING</replaceable></option></term>

355

303

364

312

365

313

<para>

366

314

Sets the number of bits to use for the prime number in the

367

TLS Diffie-Hellman key exchange. The default value is

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--dh-params=<replaceable

378

>FILE</replaceable></option></term>

379

380

<para>

381

Specifies a PEM-encoded PKCS#3 file to read the parameters

382

needed by the TLS Diffie-Hellman key exchange from. If

383

this option is not given, or if the file for some reason

384

could not be used, the parameters will be generated on

385

startup, which will take some time and processing power.

386

Those using servers running under time, power or processor

387

constraints may want to generate such a file in advance

388

and use this option.

315

TLS Diffie-Hellman key exchange. Default is 1024.

389

316

</para>

390

317

</listitem>

391

318

</varlistentry>

518

445

519

446

520

447

<title>ENVIRONMENT</title>

521

522

523

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

524

525

<para>

526

This environment variable will be assumed to contain the

527

directory containing any helper executables. The use and

528

nature of these helper executables, if any, is purposely

529

not documented.

530

</para>

531

</listitem>

532

</varlistentry>

533

</variablelist>

534

448

<para>

535

This program does not use any other environment variables, not

536

even the ones provided by <citerefentry><refentrytitle

449

This program does not use any environment variables, not even

450

the ones provided by <citerefentry><refentrytitle

537

451

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

538

452

</citerefentry>.

539

453

</para>

726

640

</listitem>

727

641

</varlistentry>

728

642

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

743

643

<term><filename

744

644

class="directory">/lib/mandos/network-hooks.d</filename></term>

745

645

753

653

</variablelist>

754

654

</refsect1>

755

655

756

757

758

<xi:include href="../bugs.xml"/>

759

</refsect1>

656

657

658

659

660

760

661

761

662

762

663

<title>EXAMPLE</title>

787

688

</informalexample>

788

689

789

690

<para>

790

Run in debug mode, and use custom keys:

691

Run in debug mode, and use a custom key:

791

692

</para>

792

693

<para>

793

694

794

695

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

696

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

796

697

797

698

</para>

798

699

</informalexample>

799

700

800

701

<para>

801

Run in debug mode, with custom keys, and do not use Zeroconf

702

Run in debug mode, with a custom key, and do not use Zeroconf

802

703

to locate a server; connect directly to the IPv6 link-local

803

704

address <quote><systemitem class="ipaddress"

804

705

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

807

708

<para>

808

709

809

710

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

711

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

811

712

812

713

</para>

813

714

</informalexample>

837

738

<para>

838

739

The only remaining weak point is that someone with physical

839

740

access to the client hard drive might turn off the client

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

741

computer, read the OpenPGP keys directly from the hard drive,

742

and communicate with the server. To safeguard against this, the

743

server is supposed to notice the client disappearing and stop

744

giving out the encrypted data. Therefore, it is important to

745

set the timeout and checker interval values tightly on the

746

server. See <citerefentry><refentrytitle

846

747

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

847

748

</para>

848

749

<para>

849

750

It will also help if the checker program on the server is

850

751

configured to request something from the client which can not be

851

spoofed by someone else on the network, like SSH server key

852

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

853

echo (<quote>ping</quote>) replies.

752

spoofed by someone else on the network, unlike unencrypted

753

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

854

754

</para>

855

755

<para>

856

756

<emphasis>Note</emphasis>: This makes it completely insecure to

891

791

</varlistentry>

892

792

893

793

<term>

894

<ulink url="https://www.avahi.org/">Avahi</ulink>

794

<ulink url="http://www.avahi.org/">Avahi</ulink>

895

795

</term>

896

796

897

797

<para>

902

802

</varlistentry>

903

803

904

804

<term>

905

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

805

<ulink url="http://www.gnu.org/software/gnutls/"

806

>GnuTLS</ulink>

906

807

</term>

907

808

908

809

<para>

909

810

GnuTLS is the library this client uses to implement TLS for

910

811

communicating securely with the server, and at the same time

911

send the public key to the server.

812

send the public OpenPGP key to the server.

912

813

</para>

913

814

</listitem>

914

815

</varlistentry>

915

816

916

817

<term>

917

<ulink url="https://www.gnupg.org/related_software/gpgme/"

818

<ulink url="http://www.gnupg.org/related_software/gpgme/"

918

819

>GPGME</ulink>

919

820

</term>

920

821

958

859

</varlistentry>

959

860

960

861

<term>

961

RFC 5246: <citetitle>The Transport Layer Security (TLS)

962

Protocol Version 1.2</citetitle>

862

RFC 4346: <citetitle>The Transport Layer Security (TLS)

863

Protocol Version 1.1</citetitle>

963

864

</term>

964

865

965

866

<para>

966

TLS 1.2 is the protocol implemented by GnuTLS.

867

TLS 1.1 is the protocol implemented by GnuTLS.

967

868

</para>

968

869

</listitem>

969

870

</varlistentry>

980

881

</varlistentry>

981

882

982

883

<term>

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

884

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

998

885

Security</citetitle>

999

886

</term>

1000

887

1001

888

<para>

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

889

This is implemented by GnuTLS and used by this program so

890

that OpenPGP keys can be used.

1005

891

</para>

1006

892

</listitem>

1007

893

</varlistentry>

Older »