/mandos/trunk : revision 844

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2016-03-23 07:11:22 UTC
Revision ID: teddy@recompile.se-20160323071122-55srtjdizr21rr7f

Use HTTPS in home page links

Since we have a real certificate now, change all links to the home
page to use HTTPS.

* README: Use HTTPS in home page links
* debian/control (Source: mandos/Homepage): - '' -
* debian/copyright (Source): - '' -
* intro.xml (SEE ALSO): - '' -
* mandos.lsm (Primary-site): - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2016-03-05">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for mandos

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

</group>

<sbr/>

<group>

102

</arg>

103

<sbr/>

100

104

<arg>

105

<option>--dh-params <replaceable>FILE</replaceable></option>

106

</arg>

107

<sbr/>

108

<arg>

109

<option>--delay <replaceable>SECONDS</replaceable></option>

110

</arg>

111

<sbr/>

112

<arg>

113

<option>--retry <replaceable>SECONDS</replaceable></option>

114

</arg>

115

<sbr/>

116

<arg>

117

<option>--network-hook-dir

118

119

</arg>

120

<sbr/>

121

<arg>

101

122

<option>--debug</option>

102

123

</arg>

103

124

</cmdsynopsis>

120

141

</group>

121

142

</cmdsynopsis>

122

143

</refsynopsisdiv>

123

144

124

145

125

146

<title>DESCRIPTION</title>

126

147

<para>

127

148

<command>&COMMANDNAME;</command> is a client program that

128

149

communicates with <citerefentry><refentrytitle

129

150

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find the server, and TLS with

132

an OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply.

151

to get a password. In slightly more detail, this client program

152

brings up network interfaces, uses the interfaces’ IPv6

153

link-local addresses to get network connectivity, uses Zeroconf

154

to find servers on the local network, and communicates with

155

servers using TLS with an OpenPGP key to ensure authenticity and

156

confidentiality. This client program keeps running, trying all

157

servers on the network, until it receives a satisfactory reply

158

or a TERM signal. After all servers have been tried, all

159

servers are periodically retried. If no servers are found it

160

will wait indefinitely for new servers to appear.

161

</para>

162

<para>

163

The network interfaces are selected like this: If any interfaces

164

are specified using the <option>--interface</option> option,

165

those interface are used. Otherwise,

166

<command>&COMMANDNAME;</command> will use all interfaces that

167

are not loopback interfaces, are not point-to-point interfaces,

168

are capable of broadcasting and do not have the NOARP flag (see

169

<citerefentry><refentrytitle>netdevice</refentrytitle>

170

<manvolnum>7</manvolnum></citerefentry>). (If the

171

<option>--connect</option> option is used, point-to-point

172

interfaces and non-broadcast interfaces are accepted.) If any

173

used interfaces are not up and running, they are first taken up

174

(and later taken down again on program exit).

175

</para>

176

<para>

177

Before network interfaces are selected, all <quote>network

178

hooks</quote> are run; see <xref linkend="network-hooks"/>.

135

179

</para>

136

180

<para>

137

181

This program is not meant to be run directly; it is really meant

184

228

assumed to separate the address from the port number.

185

229

</para>

186

230

<para>

187

This option is normally only useful for testing and

188

debugging.

231

Normally, Zeroconf would be used to locate Mandos servers,

232

in which case this option would only be used when testing

233

and debugging.

189

234

</para>

190

235

</listitem>

191

236

</varlistentry>

192

237

193

238

194

<term><option>--keydir=<replaceable

195

>DIRECTORY</replaceable></option></term>

196

<term><option>-d

197

<replaceable>DIRECTORY</replaceable></option></term>

198

199

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

205

</para>

206

</listitem>

207

</varlistentry>

208

209

210

<term><option>--interface=

211

239

<term><option>--interface=<replaceable

240

>NAME</replaceable><arg rep='repeat'>,<replaceable

241

>NAME</replaceable></arg></option></term>

212

242

<term><option>-i

213

243

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

244

>NAME</replaceable></arg></option></term>

214

245

215

246

<para>

216

Network interface that will be brought up and scanned for

217

Mandos servers to connect to. The default it

218

<quote><literal>eth0</literal></quote>.

247

Comma separated list of network interfaces that will be

248

brought up and scanned for Mandos servers to connect to.

249

The default is the empty string, which will automatically

250

use all appropriate interfaces.

251

</para>

252

<para>

253

If the <option>--connect</option> option is used, and

254

exactly one interface name is specified (except

255

<quote><literal>none</literal></quote>), this specifies

256

the interface to use to connect to the address given.

257

</para>

258

<para>

259

Note that since this program will normally run in the

260

initial RAM disk environment, the interface must be an

261

interface which exists at that stage. Thus, the interface

262

can normally not be a pseudo-interface such as

263

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

264

will not exist until much later in the boot process, and

265

can not be used by this program, unless created by a

266

<quote>network hook</quote> — see <xref

267

linkend="network-hooks"/>.

268

</para>

269

<para>

270

<replaceable>NAME</replaceable> can be the string

271

<quote><literal>none</literal></quote>; this will make

272

<command>&COMMANDNAME;</command> only bring up interfaces

273

specified <emphasis>before</emphasis> this string. This

274

is not recommended, and only meant for advanced users.

219

275

</para>

220

276

</listitem>

221

277

</varlistentry>

227

283

228

284

229

285

<para>

230

OpenPGP public key file base name. This will be combined

231

with the directory from the <option>--keydir</option>

232

option to form an absolute file name. The default name is

233

<quote><literal>pubkey.txt</literal></quote>.

286

OpenPGP public key file name. The default name is

287

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

288

></quote>.

234

289

</para>

235

290

</listitem>

236

291

</varlistentry>

237

292

238

293

239

294

<term><option>--seckey=<replaceable

240

295

>FILE</replaceable></option></term>

242

297

243

298

244

299

<para>

245

OpenPGP secret key file base name. This will be combined

246

with the directory from the <option>--keydir</option>

247

option to form an absolute file name. The default name is

248

<quote><literal>seckey.txt</literal></quote>.

300

OpenPGP secret key file name. The default name is

301

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

302

></quote>.

249

303

</para>

250

304

</listitem>

251

305

</varlistentry>

258

312

xpointer="priority"/>

259

313

</listitem>

260

314

</varlistentry>

261

315

262

316

263

317

<term><option>--dh-bits=<replaceable

264

318

>BITS</replaceable></option></term>

265

319

266

320

<para>

267

321

Sets the number of bits to use for the prime number in the

268

TLS Diffie-Hellman key exchange. Default is 1024.

322

TLS Diffie-Hellman key exchange. The default value is

323

selected automatically based on the OpenPGP key. Note

324

that if the <option>--dh-params</option> option is used,

325

the values from that file will be used instead.

326

</para>

327

</listitem>

328

</varlistentry>

329

330

331

<term><option>--dh-params=<replaceable

332

>FILE</replaceable></option></term>

333

334

<para>

335

Specifies a PEM-encoded PKCS#3 file to read the parameters

336

needed by the TLS Diffie-Hellman key exchange from. If

337

this option is not given, or if the file for some reason

338

could not be used, the parameters will be generated on

339

startup, which will take some time and processing power.

340

Those using servers running under time, power or processor

341

constraints may want to generate such a file in advance

342

and use this option.

343

</para>

344

</listitem>

345

</varlistentry>

346

347

348

<term><option>--delay=<replaceable

349

>SECONDS</replaceable></option></term>

350

351

<para>

352

After bringing a network interface up, the program waits

353

for the interface to arrive in a <quote>running</quote>

354

state before proceeding. During this time, the kernel log

355

level will be lowered to reduce clutter on the system

356

console, alleviating any other plugins which might be

357

using the system console. This option sets the upper

358

limit of seconds to wait. The default is 2.5 seconds.

359

</para>

360

</listitem>

361

</varlistentry>

362

363

364

<term><option>--retry=<replaceable

365

>SECONDS</replaceable></option></term>

366

367

<para>

368

All Mandos servers are tried repeatedly until a password

369

is received. This value specifies, in seconds, how long

370

between each successive try <emphasis>for the same

371

server</emphasis>. The default is 10 seconds.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--network-hook-dir=<replaceable

378

>DIR</replaceable></option></term>

379

380

<para>

381

Network hook directory. The default directory is

382

<quote><filename class="directory"

383

>/lib/mandos/network-hooks.d</filename></quote>.

269

384

</para>

270

385

</listitem>

271

386

</varlistentry>

304

419

</para>

305

420

</listitem>

306

421

</varlistentry>

307

422

308

423

309

424

<term><option>--version</option></term>

310

425

316

431

</varlistentry>

317

432

</variablelist>

318

433

</refsect1>

319

434

320

435

321

436

<title>OVERVIEW</title>

322

437

<xi:include href="../overview.xml"/>

329

444

<para>

330

445

This program could, theoretically, be used as a keyscript in

331

446

<filename>/etc/crypttab</filename>, but it would then be

332

impossible to enter the encrypted root disk password at the

333

console, since this program does not read from the console at

334

all. This is why a separate plugin does that, which will be run

335

in parallell to this one.

447

impossible to enter a password for the encrypted root disk at

448

the console, since this program does not read from the console

449

at all. This is why a separate plugin runner (<citerefentry>

450

<refentrytitle>plugin-runner</refentrytitle>

451

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

452

both this program and others in in parallel,

453

<emphasis>one</emphasis> of which (<citerefentry>

454

<refentrytitle>password-prompt</refentrytitle>

455

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

456

passwords on the system console.

336

457

</para>

337

458

</refsect1>

338

459

343

464

server could be found and the password received from it could be

344

465

successfully decrypted and output on standard output. The

345

466

program will exit with a non-zero exit status only if a critical

346

error occurs. Otherwise, it will forever connect to new

347

<application>Mandosservers</application> servers as they appear,

348

trying to get a decryptable password.

467

error occurs. Otherwise, it will forever connect to any

468

discovered <application>Mandos</application> servers, trying to

469

get a decryptable password and print it.

349

470

</para>

350

471

</refsect1>

351

472

352

473

353

474

<title>ENVIRONMENT</title>

475

476

477

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

478

479

<para>

480

This environment variable will be assumed to contain the

481

directory containing any helper executables. The use and

482

nature of these helper executables, if any, is

483

purposefully not documented.

484

</para>

485

</listitem>

486

</varlistentry>

487

</variablelist>

354

488

<para>

355

This program does not use any environment variables, not even

356

the ones provided by <citerefentry><refentrytitle

489

This program does not use any other environment variables, not

490

even the ones provided by <citerefentry><refentrytitle

357

491

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

358

492

</citerefentry>.

359

493

</para>

360

494

</refsect1>

361

495

362

496

497

<title>NETWORK HOOKS</title>

498

<para>

499

If a network interface like a bridge or tunnel is required to

500

find a Mandos server, this requires the interface to be up and

501

running before <command>&COMMANDNAME;</command> starts looking

502

for Mandos servers. This can be accomplished by creating a

503

<quote>network hook</quote> program, and placing it in a special

504

directory.

505

</para>

506

<para>

507

Before the network is used (and again before program exit), any

508

runnable programs found in the network hook directory are run

509

with the argument <quote><literal>start</literal></quote> or

510

<quote><literal>stop</literal></quote>. This should bring up or

511

down, respectively, any network interface which

512

<command>&COMMANDNAME;</command> should use.

513

</para>

514

515

<title>REQUIREMENTS</title>

516

<para>

517

A network hook must be an executable file, and its name must

518

consist entirely of upper and lower case letters, digits,

519

underscores, periods, and hyphens.

520

</para>

521

<para>

522

A network hook will receive one argument, which can be one of

523

the following:

524

</para>

525

526

527

<term><literal>start</literal></term>

528

529

<para>

530

This should make the network hook create (if necessary)

531

and bring up a network interface.

532

</para>

533

</listitem>

534

</varlistentry>

535

536

537

538

<para>

539

This should make the network hook take down a network

540

interface, and delete it if it did not exist previously.

541

</para>

542

</listitem>

543

</varlistentry>

544

545

<term><literal>files</literal></term>

546

547

<para>

548

This should make the network hook print, <emphasis>one

549

file per line</emphasis>, all the files needed for it to

550

run. (These files will be copied into the initial RAM

551

filesystem.) Typical use is for a network hook which is

552

a shell script to print its needed binaries.

553

</para>

554

<para>

555

It is not necessary to print any non-executable files

556

already in the network hook directory, these will be

557

copied implicitly if they otherwise satisfy the name

558

requirements.

559

</para>

560

</listitem>

561

</varlistentry>

562

563

<term><literal>modules</literal></term>

564

565

<para>

566

This should make the network hook print, <emphasis>on

567

separate lines</emphasis>, all the kernel modules needed

568

for it to run. (These modules will be copied into the

569

initial RAM filesystem.) For instance, a tunnel

570

interface needs the

571

<quote><literal>tun</literal></quote> module.

572

</para>

573

</listitem>

574

</varlistentry>

575

</variablelist>

576

<para>

577

The network hook will be provided with a number of environment

578

variables:

579

</para>

580

581

582

<term><envar>MANDOSNETHOOKDIR</envar></term>

583

584

<para>

585

The network hook directory, specified to

586

<command>&COMMANDNAME;</command> by the

587

<option>--network-hook-dir</option> option. Note: this

588

should <emphasis>always</emphasis> be used by the

589

network hook to refer to itself or any files in the hook

590

directory it may require.

591

</para>

592

</listitem>

593

</varlistentry>

594

595

<term><envar>DEVICE</envar></term>

596

597

<para>

598

The network interfaces, as specified to

599

<command>&COMMANDNAME;</command> by the

600

<option>--interface</option> option, combined to one

601

string and separated by commas. If this is set, and

602

does not contain the interface a hook will bring up,

603

there is no reason for a hook to continue.

604

</para>

605

</listitem>

606

</varlistentry>

607

608

609

610

<para>

611

This will be the same as the first argument;

612

i.e. <quote><literal>start</literal></quote>,

613

<quote><literal>stop</literal></quote>,

614

<quote><literal>files</literal></quote>, or

615

<quote><literal>modules</literal></quote>.

616

</para>

617

</listitem>

618

</varlistentry>

619

620

<term><envar>VERBOSITY</envar></term>

621

622

<para>

623

This will be the <quote><literal>1</literal></quote> if

624

the <option>--debug</option> option is passed to

625

<command>&COMMANDNAME;</command>, otherwise

626

<quote><literal>0</literal></quote>.

627

</para>

628

</listitem>

629

</varlistentry>

630

631

<term><envar>DELAY</envar></term>

632

633

<para>

634

This will be the same as the <option>--delay</option>

635

option passed to <command>&COMMANDNAME;</command>. Is

636

only set if <envar>MODE</envar> is

637

<quote><literal>start</literal></quote> or

638

<quote><literal>stop</literal></quote>.

639

</para>

640

</listitem>

641

</varlistentry>

642

643

<term><envar>CONNECT</envar></term>

644

645

<para>

646

This will be the same as the <option>--connect</option>

647

option passed to <command>&COMMANDNAME;</command>. Is

648

only set if <option>--connect</option> is passed and

649

<envar>MODE</envar> is

650

<quote><literal>start</literal></quote> or

651

<quote><literal>stop</literal></quote>.

652

</para>

653

</listitem>

654

</varlistentry>

655

</variablelist>

656

<para>

657

A hook may not read from standard input, and should be

658

restrictive in printing to standard output or standard error

659

unless <varname>VERBOSITY</varname> is

660

<quote><literal>1</literal></quote>.

661

</para>

662

</refsect2>

663

</refsect1>

664

665

363

666

<title>FILES</title>

364

<para>

365

</para>

667

668

669

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

670

></term>

671

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

672

></term>

673

674

<para>

675

OpenPGP public and private key files, in <quote>ASCII

676

Armor</quote> format. These are the default file names,

677

they can be changed with the <option>--pubkey</option> and

678

<option>--seckey</option> options.

679

</para>

680

</listitem>

681

</varlistentry>

682

683

<term><filename

684

class="directory">/lib/mandos/network-hooks.d</filename></term>

685

686

<para>

687

Directory where network hooks are located. Change this

688

with the <option>--network-hook-dir</option> option. See

689

<xref linkend="network-hooks"/>.

690

</para>

691

</listitem>

692

</varlistentry>

693

</variablelist>

366

694

</refsect1>

367

695

368

696

369

697

370

<para>

371

</para>

698

<xi:include href="../bugs.xml"/>

372

699

</refsect1>

373

700

374

701

375

702

<title>EXAMPLE</title>

376

703

<para>

704

Note that normally, command line options will not be given

705

directly, but via options for the Mandos <citerefentry

706

><refentrytitle>plugin-runner</refentrytitle>

707

<manvolnum>8mandos</manvolnum></citerefentry>.

377

708

</para>

709

710

<para>

711

Normal invocation needs no options, if the network interfaces

712

can be automatically determined:

713

</para>

714

<para>

715

<userinput>&COMMANDNAME;</userinput>

716

</para>

717

</informalexample>

718

719

<para>

720

Search for Mandos servers (and connect to them) using one

721

specific interface:

722

</para>

723

<para>

724

725

<userinput>&COMMANDNAME; --interface eth1</userinput>

726

</para>

727

</informalexample>

728

729

<para>

730

Run in debug mode, and use a custom key:

731

</para>

732

<para>

733

734

735

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

736

737

</para>

738

</informalexample>

739

740

<para>

741

Run in debug mode, with a custom key, and do not use Zeroconf

742

to locate a server; connect directly to the IPv6 link-local

743

address <quote><systemitem class="ipaddress"

744

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

745

using interface eth2:

746

</para>

747

<para>

748

749

750

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

751

752

</para>

753

</informalexample>

378

754

</refsect1>

379

755

380

756

381

757

<title>SECURITY</title>

382

758

<para>

759

This program is set-uid to root, but will switch back to the

760

original (and presumably non-privileged) user and group after

761

bringing up the network interface.

762

</para>

763

<para>

764

To use this program for its intended purpose (see <xref

765

linkend="purpose"/>), the password for the root file system will

766

have to be given out to be stored in a server computer, after

767

having been encrypted using an OpenPGP key. This encrypted data

768

which will be stored in a server can only be decrypted by the

769

OpenPGP key, and the data will only be given out to those

770

clients who can prove they actually have that key. This key,

771

however, is stored unencrypted on the client side in its initial

772

<acronym>RAM</acronym> disk image file system. This is normally

773

readable by all, but this is normally fixed during installation

774

of this program; file permissions are set so that no-one is able

775

to read that file.

776

</para>

777

<para>

778

The only remaining weak point is that someone with physical

779

access to the client hard drive might turn off the client

780

computer, read the OpenPGP keys directly from the hard drive,

781

and communicate with the server. To safeguard against this, the

782

server is supposed to notice the client disappearing and stop

783

giving out the encrypted data. Therefore, it is important to

784

set the timeout and checker interval values tightly on the

785

server. See <citerefentry><refentrytitle

786

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

787

</para>

788

<para>

789

It will also help if the checker program on the server is

790

configured to request something from the client which can not be

791

spoofed by someone else on the network, like SSH server key

792

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

793

echo (<quote>ping</quote>) replies.

794

</para>

795

<para>

796

<emphasis>Note</emphasis>: This makes it completely insecure to

797

have <application >Mandos</application> clients which dual-boot

798

to another operating system which is <emphasis>not</emphasis>

799

trusted to keep the initial <acronym>RAM</acronym> disk image

800

confidential.

383

801

</para>

384

802

</refsect1>

385

803

386

804

387

805

388

806

<para>

807

<citerefentry><refentrytitle>intro</refentrytitle>

808

<manvolnum>8mandos</manvolnum></citerefentry>,

809

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

810

<manvolnum>8</manvolnum></citerefentry>,

811

<citerefentry><refentrytitle>crypttab</refentrytitle>

812

<manvolnum>5</manvolnum></citerefentry>,

389

813

<citerefentry><refentrytitle>mandos</refentrytitle>

390

814

<manvolnum>8</manvolnum></citerefentry>,

391

815

<citerefentry><refentrytitle>password-prompt</refentrytitle>

393

817

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

394

818

<manvolnum>8mandos</manvolnum></citerefentry>

395

819

</para>

396

397

398

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

399

</para></listitem>

400

401

402

<ulink url="http://www.avahi.org/">Avahi</ulink>

403

</para></listitem>

404

405

406

<ulink

407

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

408

</para></listitem>

409

410

411

<ulink

412

url="http://www.gnupg.org/related_software/gpgme/"

413

>GPGME</ulink>

414

</para></listitem>

415

416

417

<citation>RFC 4880: <citetitle>OpenPGP Message

418

Format</citetitle></citation>

419

</para></listitem>

420

421

422

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

423

Transport Layer Security</citetitle></citation>

424

</para></listitem>

425

426

427

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

428

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

429

Unicast Addresses</citation>

430

</para></listitem>

431

</itemizedlist>

820

821

822

<term>

823

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

824

</term>

825

826

<para>

827

Zeroconf is the network protocol standard used for finding

828

Mandos servers on the local network.

829

</para>

830

</listitem>

831

</varlistentry>

832

833

<term>

834

<ulink url="http://www.avahi.org/">Avahi</ulink>

835

</term>

836

837

<para>

838

Avahi is the library this program calls to find Zeroconf

839

services.

840

</para>

841

</listitem>

842

</varlistentry>

843

844

<term>

845

<ulink url="http://www.gnu.org/software/gnutls/"

846

>GnuTLS</ulink>

847

</term>

848

849

<para>

850

GnuTLS is the library this client uses to implement TLS for

851

communicating securely with the server, and at the same time

852

send the public OpenPGP key to the server.

853

</para>

854

</listitem>

855

</varlistentry>

856

857

<term>

858

<ulink url="http://www.gnupg.org/related_software/gpgme/"

859

>GPGME</ulink>

860

</term>

861

862

<para>

863

GPGME is the library used to decrypt the OpenPGP data sent

864

by the server.

865

</para>

866

</listitem>

867

</varlistentry>

868

869

<term>

870

RFC 4291: <citetitle>IP Version 6 Addressing

871

Architecture</citetitle>

872

</term>

873

874

875

876

<term>Section 2.2: <citetitle>Text Representation of

877

Addresses</citetitle></term>

878

879

</varlistentry>

880

881

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

882

Address</citetitle></term>

883

884

</varlistentry>

885

886

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

887

Addresses</citetitle></term>

888

889

<para>

890

This client uses IPv6 link-local addresses, which are

891

immediately usable since a link-local addresses is

892

automatically assigned to a network interface when it

893

is brought up.

894

</para>

895

</listitem>

896

</varlistentry>

897

</variablelist>

898

</listitem>

899

</varlistentry>

900

901

<term>

902

RFC 4346: <citetitle>The Transport Layer Security (TLS)

903

Protocol Version 1.1</citetitle>

904

</term>

905

906

<para>

907

TLS 1.1 is the protocol implemented by GnuTLS.

908

</para>

909

</listitem>

910

</varlistentry>

911

912

<term>

913

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

914

</term>

915

916

<para>

917

The data received from the server is binary encrypted

918

OpenPGP data.

919

</para>

920

</listitem>

921

</varlistentry>

922

923

<term>

924

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

925

Security</citetitle>

926

</term>

927

928

<para>

929

This is implemented by GnuTLS and used by this program so

930

that OpenPGP keys can be used.

931

</para>

932

</listitem>

933

</varlistentry>

934

</variablelist>

432

935

</refsect1>

433

434

936

</refentry>

937

435

938

436

939

437

940

Older »