/mandos/trunk : revision 776

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2015-07-20 00:59:17 UTC
Revision ID: teddy@recompile.se-20150720005917-ud7fxa6wcv9y4ta6

mandos-client: Bug fix: don't crash if --dh-params was not used.

* plugins.d/mandos-client.c (main): Bug fix: Check if dh_params_file
is NULL before using it in the
workaround for Debian bug #633582.

files added:
debian/mandos-client.examples

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

intro.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY TIMESTAMP "2015-01-25">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<sbr/>

<sbr/>

100

<arg><option>--no-restore</option></arg>

101

<sbr/>

102

<arg><option>--statedir

103

<replaceable>DIRECTORY</replaceable></option></arg>

104

<sbr/>

105

<arg><option>--socket

106

107

<sbr/>

108

<arg><option>--foreground</option></arg>

109

<sbr/>

110

<arg><option>--no-zeroconf</option></arg>

111

</cmdsynopsis>

112

113

<command>&COMMANDNAME;</command>

116

131

<para>

117

132

<command>&COMMANDNAME;</command> is a server daemon which

118

133

handles incoming request for passwords for a pre-defined list of

119

client host computers. The Mandos server uses Zeroconf to

120

announce itself on the local network, and uses TLS to

121

communicate securely with and to authenticate the clients. The

122

Mandos server uses IPv6 to allow Mandos clients to use IPv6

123

link-local addresses, since the clients will probably not have

124

any other addresses configured (see <xref linkend="overview"/>).

125

Any authenticated client is then given the stored pre-encrypted

126

password for that specific client.

134

client host computers. For an introduction, see

135

<citerefentry><refentrytitle>intro</refentrytitle>

136

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

137

uses Zeroconf to announce itself on the local network, and uses

138

TLS to communicate securely with and to authenticate the

139

clients. The Mandos server uses IPv6 to allow Mandos clients to

140

use IPv6 link-local addresses, since the clients will probably

141

not have any other addresses configured (see <xref

142

linkend="overview"/>). Any authenticated client is then given

143

the stored pre-encrypted password for that specific client.

127

144

</para>

128

145

</refsect1>

129

146

219

236

<term><option>--priority <replaceable>

220

237

PRIORITY</replaceable></option></term>

221

238

222

<xi:include href="mandos-options.xml" xpointer="priority"/>

239

<xi:include href="mandos-options.xml"

240

xpointer="priority_compat"/>

223

241

</listitem>

224

242

</varlistentry>

225

243

272

290

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

273

291

</listitem>

274

292

</varlistentry>

293

294

295

<term><option>--no-restore</option></term>

296

297

<xi:include href="mandos-options.xml" xpointer="restore"/>

298

<para>

299

See also <xref linkend="persistent_state"/>.

300

</para>

301

</listitem>

302

</varlistentry>

303

304

305

<term><option>--statedir

306

<replaceable>DIRECTORY</replaceable></option></term>

307

308

<xi:include href="mandos-options.xml" xpointer="statedir"/>

309

</listitem>

310

</varlistentry>

311

312

313

<term><option>--socket

314

315

316

<xi:include href="mandos-options.xml" xpointer="socket"/>

317

</listitem>

318

</varlistentry>

319

320

321

<term><option>--foreground</option></term>

322

323

<xi:include href="mandos-options.xml"

324

xpointer="foreground"/>

325

</listitem>

326

</varlistentry>

327

328

329

<term><option>--no-zeroconf</option></term>

330

331

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

332

</listitem>

333

</varlistentry>

334

275

335

</variablelist>

276

336

</refsect1>

277

337

351

411

for some time, the client is assumed to be compromised and is no

352

412

longer eligible to receive the encrypted password. (Manual

353

413

intervention is required to re-enable a client.) The timeout,

354

checker program, and interval between checks can be configured

355

both globally and per client; see <citerefentry>

356

<refentrytitle>mandos-clients.conf</refentrytitle>

357

<manvolnum>5</manvolnum></citerefentry>. A client successfully

358

receiving its password will also be treated as a successful

359

checker run.

414

extended timeout, checker program, and interval between checks

415

can be configured both globally and per client; see

416

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

417

<manvolnum>5</manvolnum></citerefentry>.

360

418

</para>

361

419

</refsect1>

362

420

384

442

<title>LOGGING</title>

385

443

<para>

386

444

The server will send log message with various severity levels to

387

<filename>/dev/log</filename>. With the

445

<filename class="devicefile">/dev/log</filename>. With the

388

446

<option>--debug</option> option, it will log even more messages,

389

447

and also show them on the console.

390

448

</para>

391

449

</refsect1>

392

450

451

452

<title>PERSISTENT STATE</title>

453

<para>

454

Client settings, initially read from

455

<filename>clients.conf</filename>, are persistent across

456

restarts, and run-time changes will override settings in

457

<filename>clients.conf</filename>. However, if a setting is

458

<emphasis>changed</emphasis> (or a client added, or removed) in

459

<filename>clients.conf</filename>, this will take precedence.

460

</para>

461

</refsect1>

462

393

463

394

464

<title>D-BUS INTERFACE</title>

395

465

<para>

457

527

</listitem>

458

528

</varlistentry>

459

529

460

<term><filename>/var/run/mandos.pid</filename></term>

530

<term><filename>/run/mandos.pid</filename></term>

461

531

462

532

<para>

463

533

The file containing the process id of the

464

534

<command>&COMMANDNAME;</command> process started last.

535

<emphasis >Note:</emphasis> If the <filename

536

class="directory">/run</filename> directory does not

537

exist, <filename>/var/run/mandos.pid</filename> will be

538

used instead.

539

</para>

540

</listitem>

541

</varlistentry>

542

543

544

</varlistentry>

545

546

<term><filename

547

class="directory">/var/lib/mandos</filename></term>

548

549

<para>

550

Directory where persistent state will be saved. Change

551

this with the <option>--statedir</option> option. See

552

also the <option>--no-restore</option> option.

465

553

</para>

466

554

</listitem>

467

555

</varlistentry>

495

583

backtrace. This could be considered a feature.

496

584

</para>

497

585

<para>

498

Currently, if a client is disabled due to having timed out, the

499

server does not record this fact onto permanent storage. This

500

has some security implications, see <xref linkend="clients"/>.

501

</para>

502

<para>

503

586

There is no fine-grained control over logging and debug output.

504

587

</para>

505

588

<para>

506

Debug mode is conflated with running in the foreground.

507

</para>

508

<para>

509

The console log messages do not show a time stamp.

510

</para>

511

<para>

512

589

This server does not check the expire time of clients’ OpenPGP

513

590

keys.

514

591

</para>

527

604

528

605

<para>

529

606

Run the server in debug mode, read configuration files from

530

the <filename>~/mandos</filename> directory, and use the

531

Zeroconf service name <quote>Test</quote> to not collide with

532

any other official Mandos server on this host:

607

the <filename class="directory">~/mandos</filename> directory,

608

and use the Zeroconf service name <quote>Test</quote> to not

609

collide with any other official Mandos server on this host:

533

610

</para>

534

611

<para>

535

612

584

661

compromised if they are gone for too long.

585

662

</para>

586

663

<para>

587

If a client is compromised, its downtime should be duly noted

588

by the server which would therefore disable the client. But

589

if the server was ever restarted, it would re-read its client

590

list from its configuration file and again regard all clients

591

therein as enabled, and hence eligible to receive their

592

passwords. Therefore, be careful when restarting servers if

593

it is suspected that a client has, in fact, been compromised

594

by parties who may now be running a fake Mandos client with

595

the keys from the non-encrypted initial <acronym>RAM</acronym>

596

image of the client host. What should be done in that case

597

(if restarting the server program really is necessary) is to

598

stop the server program, edit the configuration file to omit

599

any suspect clients, and restart the server program.

600

</para>

601

<para>

602

664

For more details on client-side security, see

603

665

<citerefentry><refentrytitle>mandos-client</refentrytitle>

604

666

<manvolnum>8mandos</manvolnum></citerefentry>.

609

671

610

672

611

673

<para>

612

613

<refentrytitle>mandos-clients.conf</refentrytitle>

614

615

<refentrytitle>mandos.conf</refentrytitle>

616

617

<refentrytitle>mandos-client</refentrytitle>

618

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

619

620

</citerefentry>

674

<citerefentry><refentrytitle>intro</refentrytitle>

675

<manvolnum>8mandos</manvolnum></citerefentry>,

676

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

677

<manvolnum>5</manvolnum></citerefentry>,

678

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

679

<manvolnum>5</manvolnum></citerefentry>,

680

<citerefentry><refentrytitle>mandos-client</refentrytitle>

681

<manvolnum>8mandos</manvolnum></citerefentry>,

682

683

621

684

</para>

622

685

623

686

644

707

</varlistentry>

645

708

646

709

<term>

647

<ulink url="http://www.gnu.org/software/gnutls/"

648

>GnuTLS</ulink>

710

<ulink url="http://gnutls.org/">GnuTLS</ulink>

649

711

</term>

650

712

651

713

<para>

689

751

</varlistentry>

690

752

691

753

<term>

692

RFC 4346: <citetitle>The Transport Layer Security (TLS)

693

Protocol Version 1.1</citetitle>

754

RFC 5246: <citetitle>The Transport Layer Security (TLS)

755

Protocol Version 1.2</citetitle>

694

756

</term>

695

757

696

758

<para>

697

TLS 1.1 is the protocol implemented by GnuTLS.

759

TLS 1.2 is the protocol implemented by GnuTLS.

698

760

</para>

699

761

</listitem>

700

762

</varlistentry>

710

772

</varlistentry>

711

773

712

774

<term>

713

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

714

Security</citetitle>

775

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

776

Security (TLS) Authentication</citetitle>

715

777

</term>

716

778

717

779

<para>

Older »