/mandos/trunk : revision 818

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2016-03-04 22:07:35 UTC
Revision ID: teddy@recompile.se-20160304220735-4xeeqt5p4nhw5cuh

Restrict the Mandos server daemon in the systemd service file.

* mandos.service ([Service]/ProtectSystem): Set to "full".
([Service]/PrivateTmp, [Service]/PrivateDevices,
[Service]/ProtectHome): Set to "yes".
([Service]/CapabilityBoundingSet): Set to "CAP_SETUID
CAP_DAC_OVERRIDE CAP_NET_RAW".

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/ca.po

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2025-06-27">

<!ENTITY TIMESTAMP "2016-02-28">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

101

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--tls-privkey

106

107

<arg choice="plain"><option>-t

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--tls-pubkey

113

114

<arg choice="plain"><option>-T

115

116

</group>

117

<sbr/>

118

<arg>

119

<option>--priority <replaceable>STRING</replaceable></option>

120

</arg>

174

152

brings up network interfaces, uses the interfaces’ IPv6

175

153

link-local addresses to get network connectivity, uses Zeroconf

176

154

to find servers on the local network, and communicates with

177

servers using TLS with a raw public key to ensure authenticity

178

and confidentiality. This client program keeps running, trying

179

all servers on the network, until it receives a satisfactory

180

reply or a TERM signal. After all servers have been tried, all

155

servers using TLS with an OpenPGP key to ensure authenticity and

156

confidentiality. This client program keeps running, trying all

157

servers on the network, until it receives a satisfactory reply

158

or a TERM signal. After all servers have been tried, all

181

159

servers are periodically retried. If no servers are found it

182

160

will wait indefinitely for new servers to appear.

183

161

</para>

201

179

</para>

202

180

<para>

203

181

This program is not meant to be run directly; it is really meant

204

to be run by other programs in the initial

205

<acronym>RAM</acronym> disk environment; see <xref

206

linkend="overview"/>.

182

to run as a plugin of the <application>Mandos</application>

183

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

184

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

185

initial <acronym>RAM</acronym> disk environment because it is

186

specified as a <quote>keyscript</quote> in the <citerefentry>

187

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

188

</citerefentry> file.

207

189

</para>

208

190

</refsect1>

209

191

221

203

<title>OPTIONS</title>

222

204

<para>

223

205

This program is commonly not invoked from the command line; it

224

is normally started by another program as described in <xref

225

linkend="description"/>. Any command line options this program

226

accepts are therefore normally provided by the invoking program,

227

and not directly.

206

is normally started by the <application>Mandos</application>

207

plugin runner, see <citerefentry><refentrytitle

208

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

209

</citerefentry>. Any command line options this program accepts

210

are therefore normally provided by the plugin runner, and not

211

directly.

228

212

</para>

229

213

230

214

321

305

</varlistentry>

322

306

323

307

324

<term><option>--tls-pubkey=<replaceable

325

>FILE</replaceable></option></term>

326

<term><option>-T

327

328

329

<para>

330

TLS raw public key file name. The default name is

331

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

332

></quote>.

333

</para>

334

</listitem>

335

</varlistentry>

336

337

338

<term><option>--tls-privkey=<replaceable

339

>FILE</replaceable></option></term>

340

<term><option>-t

341

342

343

<para>

344

TLS secret key file name. The default name is

345

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

346

></quote>.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

352

308

<term><option>--priority=<replaceable

353

309

>STRING</replaceable></option></term>

354

310

364

320

<para>

365

321

Sets the number of bits to use for the prime number in the

366

322

TLS Diffie-Hellman key exchange. The default value is

367

selected automatically based on the GnuTLS security

368

profile set in its priority string. Note that if the

369

<option>--dh-params</option> option is used, the values

370

from that file will be used instead.

323

selected automatically based on the OpenPGP key. Note

324

that if the <option>--dh-params</option> option is used,

325

the values from that file will be used instead.

371

326

</para>

372

327

</listitem>

373

328

</varlistentry>

481

436

<title>OVERVIEW</title>

482

437

<xi:include href="../overview.xml"/>

483

438

<para>

484

This program is the client part. It is run automatically in an

485

initial <acronym>RAM</acronym> disk environment.

486

</para>

487

<para>

488

In an initial <acronym>RAM</acronym> disk environment using

489

<citerefentry><refentrytitle>systemd</refentrytitle>

490

<manvolnum>1</manvolnum></citerefentry>, this program is started

491

by the <application>Mandos</application> <citerefentry>

492

<refentrytitle>password-agent</refentrytitle>

493

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

494

started automatically by the <citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> <quote>Password Agent</quote> system.

497

</para>

498

<para>

499

In the case of a non-<citerefentry>

500

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

501

</citerefentry> environment, this program is started as a plugin

502

of the <application>Mandos</application> <citerefentry>

503

<refentrytitle>plugin-runner</refentrytitle>

504

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

505

initial <acronym>RAM</acronym> disk environment because it is

506

specified as a <quote>keyscript</quote> in the <citerefentry>

507

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

508

</citerefentry> file.

439

This program is the client part. It is a plugin started by

440

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

441

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

442

an initial <acronym>RAM</acronym> disk environment.

509

443

</para>

510

444

<para>

511

445

This program could, theoretically, be used as a keyscript in

512

446

<filename>/etc/crypttab</filename>, but it would then be

513

447

impossible to enter a password for the encrypted root disk at

514

448

the console, since this program does not read from the console

515

at all.

449

at all. This is why a separate plugin runner (<citerefentry>

450

<refentrytitle>plugin-runner</refentrytitle>

451

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

452

both this program and others in in parallel,

453

<emphasis>one</emphasis> of which (<citerefentry>

454

<refentrytitle>password-prompt</refentrytitle>

455

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

456

passwords on the system console.

516

457

</para>

517

458

</refsect1>

518

459

538

479

<para>

539

480

This environment variable will be assumed to contain the

540

481

directory containing any helper executables. The use and

541

nature of these helper executables, if any, is purposely

542

not documented.

482

nature of these helper executables, if any, is

483

purposefully not documented.

543

484

</para>

544

485

</listitem>

545

486

</varlistentry>

739

680

</listitem>

740

681

</varlistentry>

741

682

742

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

743

></term>

744

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

745

></term>

746

747

<para>

748

Public and private raw key files, in <quote>PEM</quote>

749

format. These are the default file names, they can be

750

changed with the <option>--tls-pubkey</option> and

751

<option>--tls-privkey</option> options.

752

</para>

753

</listitem>

754

</varlistentry>

755

756

683

<term><filename

757

684

class="directory">/lib/mandos/network-hooks.d</filename></term>

758

685

766

693

</variablelist>

767

694

</refsect1>

768

695

769

770

771

<xi:include href="../bugs.xml"/>

772

</refsect1>

696

697

698

699

700

773

701

774

702

775

703

<title>EXAMPLE</title>

776

704

<para>

777

705

Note that normally, command line options will not be given

778

directly, but passed on via the program responsible for starting

779

this program; see <xref linkend="overview"/>.

706

directly, but via options for the Mandos <citerefentry

707

><refentrytitle>plugin-runner</refentrytitle>

708

<manvolnum>8mandos</manvolnum></citerefentry>.

780

709

</para>

781

710

782

711

<para>

799

728

</informalexample>

800

729

801

730

<para>

802

Run in debug mode, and use custom keys:

731

Run in debug mode, and use a custom key:

803

732

</para>

804

733

<para>

805

734

806

735

807

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

736

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

808

737

809

738

</para>

810

739

</informalexample>

811

740

812

741

<para>

813

Run in debug mode, with custom keys, and do not use Zeroconf

742

Run in debug mode, with a custom key, and do not use Zeroconf

814

743

to locate a server; connect directly to the IPv6 link-local

815

744

address <quote><systemitem class="ipaddress"

816

745

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

819

748

<para>

820

749

821

750

822

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

751

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

823

752

824

753

</para>

825

754

</informalexample>

828

757

829

758

<title>SECURITY</title>

830

759

<para>

831

This program assumes that it is set-uid to root, and will switch

832

back to the original (and presumably non-privileged) user and

833

group after bringing up the network interface.

760

This program is set-uid to root, but will switch back to the

761

original (and presumably non-privileged) user and group after

762

bringing up the network interface.

834

763

</para>

835

764

<para>

836

765

To use this program for its intended purpose (see <xref

849

778

<para>

850

779

The only remaining weak point is that someone with physical

851

780

access to the client hard drive might turn off the client

852

computer, read the OpenPGP and TLS keys directly from the hard

853

drive, and communicate with the server. To safeguard against

854

this, the server is supposed to notice the client disappearing

855

and stop giving out the encrypted data. Therefore, it is

856

important to set the timeout and checker interval values tightly

857

on the server. See <citerefentry><refentrytitle

781

computer, read the OpenPGP keys directly from the hard drive,

782

and communicate with the server. To safeguard against this, the

783

server is supposed to notice the client disappearing and stop

784

giving out the encrypted data. Therefore, it is important to

785

set the timeout and checker interval values tightly on the

786

server. See <citerefentry><refentrytitle

858

787

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

859

788

</para>

860

789

<para>

884

813

<manvolnum>5</manvolnum></citerefentry>,

885

814

<citerefentry><refentrytitle>mandos</refentrytitle>

886

815

<manvolnum>8</manvolnum></citerefentry>,

887

<citerefentry><refentrytitle>password-agent</refentrytitle>

816

<citerefentry><refentrytitle>password-prompt</refentrytitle>

888

817

<manvolnum>8mandos</manvolnum></citerefentry>,

889

818

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

890

819

<manvolnum>8mandos</manvolnum></citerefentry>

903

832

</varlistentry>

904

833

905

834

<term>

906

<ulink url="https://www.avahi.org/">Avahi</ulink>

835

<ulink url="http://www.avahi.org/">Avahi</ulink>

907

836

</term>

908

837

909

838

<para>

914

843

</varlistentry>

915

844

916

845

<term>

917

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

846

<ulink url="http://www.gnu.org/software/gnutls/"

847

>GnuTLS</ulink>

918

848

</term>

919

849

920

850

<para>

921

851

GnuTLS is the library this client uses to implement TLS for

922

852

communicating securely with the server, and at the same time

923

send the public key to the server.

853

send the public OpenPGP key to the server.

924

854

</para>

925

855

</listitem>

926

856

</varlistentry>

927

857

928

858

<term>

929

<ulink url="https://www.gnupg.org/related_software/gpgme/"

859

<ulink url="http://www.gnupg.org/related_software/gpgme/"

930

860

>GPGME</ulink>

931

861

</term>

932

862

970

900

</varlistentry>

971

901

972

902

<term>

973

RFC 5246: <citetitle>The Transport Layer Security (TLS)

974

Protocol Version 1.2</citetitle>

903

RFC 4346: <citetitle>The Transport Layer Security (TLS)

904

Protocol Version 1.1</citetitle>

975

905

</term>

976

906

977

907

<para>

978

TLS 1.2 is the protocol implemented by GnuTLS.

908

TLS 1.1 is the protocol implemented by GnuTLS.

979

909

</para>

980

910

</listitem>

981

911

</varlistentry>

992

922

</varlistentry>

993

923

994

924

<term>

995

RFC 7250: <citetitle>Using Raw Public Keys in Transport

996

Layer Security (TLS) and Datagram Transport Layer Security

997

(DTLS)</citetitle>

998

</term>

999

1000

<para>

1001

This is implemented by GnuTLS in version 3.6.6 and is, if

1002

present, used by this program so that raw public keys can be

1003

used.

1004

</para>

1005

</listitem>

1006

</varlistentry>

1007

1008

<term>

1009

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

925

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

1010

926

Security</citetitle>

1011

927

</term>

1012

928

1013

929

<para>

1014

This is implemented by GnuTLS before version 3.6.0 and is,

1015

if present, used by this program so that OpenPGP keys can be

1016

used.

930

This is implemented by GnuTLS and used by this program so

931

that OpenPGP keys can be used.

1017

932

</para>

1018

933

</listitem>

1019

934

</varlistentry>

Older »