To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 846
- compare with another revision
- download diff
- download tarball
- view history from revision 846
- Committer: Teddy Hogeborn
- Date: 2016-06-03 16:42:05 UTC
- Revision ID: teddy@recompile.se-20160603164205-0ekfa0r4pmqccd1w
debian/control: Update Standards-Version to 3.9.8
* debian/control (Standards-Version): Update to 3.9.8
* debian/control (Standards-Version): Update to 3.9.8
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- debian/upstream
- network-hooks.d
- plugin-helpers
- files removed:
- plugins.d/usplash
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- .bzrignore
added
removed
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos">
6
<!ENTITY TIMESTAMP "2008-09-04">
5
<!ENTITY TIMESTAMP "2016-03-05">
6
<!ENTITY % common SYSTEM "common.ent">
7
%common;
7
8
]>
8
9
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
10
<refentryinfo>
11
<refentryinfo>
11
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
<productname>Mandos</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
16
17
<authorgroup>
17
18
<author>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
20
21
<address>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
22
23
</address>
23
24
</author>
24
25
<author>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
27
28
<address>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
29
30
</address>
30
31
</author>
31
32
</authorgroup>
32
33
<copyright>
33
34
<year>2008</year>
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
38
<year>2012</year>
39
<year>2013</year>
40
<year>2014</year>
41
<year>2015</year>
42
<year>2016</year>
34
43
<holder>Teddy Hogeborn</holder>
35
44
<holder>Björn Påhlsson</holder>
36
45
</copyright>
37
46
<xi:include href="legalnotice.xml"/>
38
47
</refentryinfo>
39
48
40
49
<refmeta>
41
50
<refentrytitle>&COMMANDNAME;</refentrytitle>
42
51
<manvolnum>8</manvolnum>
48
57
Gives encrypted passwords to authenticated Mandos clients
49
58
</refpurpose>
50
59
</refnamediv>
51
60
52
61
<refsynopsisdiv>
53
62
<cmdsynopsis>
54
63
<command>&COMMANDNAME;</command>
83
92
<replaceable>DIRECTORY</replaceable></option></arg>
84
93
<sbr/>
85
94
<arg><option>--debug</option></arg>
95
<sbr/>
96
<arg><option>--debuglevel
97
<replaceable>LEVEL</replaceable></option></arg>
98
<sbr/>
99
<arg><option>--no-dbus</option></arg>
100
<sbr/>
101
<arg><option>--no-ipv6</option></arg>
102
<sbr/>
103
<arg><option>--no-restore</option></arg>
104
<sbr/>
105
<arg><option>--statedir
106
<replaceable>DIRECTORY</replaceable></option></arg>
107
<sbr/>
108
<arg><option>--socket
109
<replaceable>FD</replaceable></option></arg>
110
<sbr/>
111
<arg><option>--foreground</option></arg>
112
<sbr/>
113
<arg><option>--no-zeroconf</option></arg>
86
114
</cmdsynopsis>
87
115
<cmdsynopsis>
88
116
<command>&COMMANDNAME;</command>
100
128
<arg choice="plain"><option>--check</option></arg>
101
129
</cmdsynopsis>
102
130
</refsynopsisdiv>
103
131
104
132
<refsect1 id="description">
105
133
<title>DESCRIPTION</title>
106
134
<para>
107
135
<command>&COMMANDNAME;</command> is a server daemon which
108
136
handles incoming request for passwords for a pre-defined list of
109
client host computers. The Mandos server uses Zeroconf to
110
announce itself on the local network, and uses TLS to
111
communicate securely with and to authenticate the clients. The
112
Mandos server uses IPv6 to allow Mandos clients to use IPv6
113
link-local addresses, since the clients will probably not have
114
any other addresses configured (see <xref linkend="overview"/>).
115
Any authenticated client is then given the stored pre-encrypted
116
password for that specific client.
137
client host computers. For an introduction, see
138
<citerefentry><refentrytitle>intro</refentrytitle>
139
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
140
uses Zeroconf to announce itself on the local network, and uses
141
TLS to communicate securely with and to authenticate the
142
clients. The Mandos server uses IPv6 to allow Mandos clients to
143
use IPv6 link-local addresses, since the clients will probably
144
not have any other addresses configured (see <xref
145
linkend="overview"/>). Any authenticated client is then given
146
the stored pre-encrypted password for that specific client.
117
147
</para>
118
148
</refsect1>
119
149
186
216
<xi:include href="mandos-options.xml" xpointer="debug"/>
187
217
</listitem>
188
218
</varlistentry>
189
219
220
<varlistentry>
221
<term><option>--debuglevel
222
<replaceable>LEVEL</replaceable></option></term>
223
<listitem>
224
<para>
225
Set the debugging log level.
226
<replaceable>LEVEL</replaceable> is a string, one of
227
<quote><literal>CRITICAL</literal></quote>,
228
<quote><literal>ERROR</literal></quote>,
229
<quote><literal>WARNING</literal></quote>,
230
<quote><literal>INFO</literal></quote>, or
231
<quote><literal>DEBUG</literal></quote>, in order of
232
increasing verbosity. The default level is
233
<quote><literal>WARNING</literal></quote>.
234
</para>
235
</listitem>
236
</varlistentry>
237
190
238
<varlistentry>
191
239
<term><option>--priority <replaceable>
192
240
PRIORITY</replaceable></option></term>
194
242
<xi:include href="mandos-options.xml" xpointer="priority"/>
195
243
</listitem>
196
244
</varlistentry>
197
245
198
246
<varlistentry>
199
247
<term><option>--servicename
200
248
<replaceable>NAME</replaceable></option></term>
203
251
xpointer="servicename"/>
204
252
</listitem>
205
253
</varlistentry>
206
254
207
255
<varlistentry>
208
256
<term><option>--configdir
209
257
<replaceable>DIRECTORY</replaceable></option></term>
218
266
</para>
219
267
</listitem>
220
268
</varlistentry>
221
269
222
270
<varlistentry>
223
271
<term><option>--version</option></term>
224
272
<listitem>
227
275
</para>
228
276
</listitem>
229
277
</varlistentry>
278
279
<varlistentry>
280
<term><option>--no-dbus</option></term>
281
<listitem>
282
<xi:include href="mandos-options.xml" xpointer="dbus"/>
283
<para>
284
See also <xref linkend="dbus_interface"/>.
285
</para>
286
</listitem>
287
</varlistentry>
288
289
<varlistentry>
290
<term><option>--no-ipv6</option></term>
291
<listitem>
292
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
293
</listitem>
294
</varlistentry>
295
296
<varlistentry>
297
<term><option>--no-restore</option></term>
298
<listitem>
299
<xi:include href="mandos-options.xml" xpointer="restore"/>
300
<para>
301
See also <xref linkend="persistent_state"/>.
302
</para>
303
</listitem>
304
</varlistentry>
305
306
<varlistentry>
307
<term><option>--statedir
308
<replaceable>DIRECTORY</replaceable></option></term>
309
<listitem>
310
<xi:include href="mandos-options.xml" xpointer="statedir"/>
311
</listitem>
312
</varlistentry>
313
314
<varlistentry>
315
<term><option>--socket
316
<replaceable>FD</replaceable></option></term>
317
<listitem>
318
<xi:include href="mandos-options.xml" xpointer="socket"/>
319
</listitem>
320
</varlistentry>
321
322
<varlistentry>
323
<term><option>--foreground</option></term>
324
<listitem>
325
<xi:include href="mandos-options.xml"
326
xpointer="foreground"/>
327
</listitem>
328
</varlistentry>
329
330
<varlistentry>
331
<term><option>--no-zeroconf</option></term>
332
<listitem>
333
<xi:include href="mandos-options.xml" xpointer="zeroconf"/>
334
</listitem>
335
</varlistentry>
336
230
337
</variablelist>
231
338
</refsect1>
232
339
233
340
<refsect1 id="overview">
234
341
<title>OVERVIEW</title>
235
342
<xi:include href="overview.xml"/>
239
346
<acronym>RAM</acronym> disk environment.
240
347
</para>
241
348
</refsect1>
242
349
243
350
<refsect1 id="protocol">
244
351
<title>NETWORK PROTOCOL</title>
245
352
<para>
297
404
</row>
298
405
</tbody></tgroup></table>
299
406
</refsect1>
300
407
301
408
<refsect1 id="checking">
302
409
<title>CHECKING</title>
303
410
<para>
304
411
The server will, by default, continually check that the clients
305
412
are still up. If a client has not been confirmed as being up
306
413
for some time, the client is assumed to be compromised and is no
307
longer eligible to receive the encrypted password. The timeout,
308
checker program, and interval between checks can be configured
309
both globally and per client; see <citerefentry>
414
longer eligible to receive the encrypted password. (Manual
415
intervention is required to re-enable a client.) The timeout,
416
extended timeout, checker program, and interval between checks
417
can be configured both globally and per client; see
418
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
419
<manvolnum>5</manvolnum></citerefentry>.
420
</para>
421
</refsect1>
422
423
<refsect1 id="approval">
424
<title>APPROVAL</title>
425
<para>
426
The server can be configured to require manual approval for a
427
client before it is sent its secret. The delay to wait for such
428
approval and the default action (approve or deny) can be
429
configured both globally and per client; see <citerefentry>
310
430
<refentrytitle>mandos-clients.conf</refentrytitle>
311
<manvolnum>5</manvolnum></citerefentry>.
312
</para>
431
<manvolnum>5</manvolnum></citerefentry>. By default all clients
432
will be approved immediately without delay.
433
</para>
434
<para>
435
This can be used to deny a client its secret if not manually
436
approved within a specified time. It can also be used to make
437
the server delay before giving a client its secret, allowing
438
optional manual denying of this specific client.
439
</para>
440
313
441
</refsect1>
314
442
315
443
<refsect1 id="logging">
316
444
<title>LOGGING</title>
317
445
<para>
318
446
The server will send log message with various severity levels to
319
<filename>/dev/log</filename>. With the
447
<filename class="devicefile">/dev/log</filename>. With the
320
448
<option>--debug</option> option, it will log even more messages,
321
449
and also show them on the console.
322
450
</para>
323
451
</refsect1>
324
452
453
<refsect1 id="persistent_state">
454
<title>PERSISTENT STATE</title>
455
<para>
456
Client settings, initially read from
457
<filename>clients.conf</filename>, are persistent across
458
restarts, and run-time changes will override settings in
459
<filename>clients.conf</filename>. However, if a setting is
460
<emphasis>changed</emphasis> (or a client added, or removed) in
461
<filename>clients.conf</filename>, this will take precedence.
462
</para>
463
</refsect1>
464
465
<refsect1 id="dbus_interface">
466
<title>D-BUS INTERFACE</title>
467
<para>
468
The server will by default provide a D-Bus system bus interface.
469
This interface will only be accessible by the root user or a
470
Mandos-specific user, if such a user exists. For documentation
471
of the D-Bus API, see the file <filename>DBUS-API</filename>.
472
</para>
473
</refsect1>
474
325
475
<refsect1 id="exit_status">
326
476
<title>EXIT STATUS</title>
327
477
<para>
329
479
critical error is encountered.
330
480
</para>
331
481
</refsect1>
332
482
333
483
<refsect1 id="environment">
334
484
<title>ENVIRONMENT</title>
335
485
<variablelist>
349
499
</varlistentry>
350
500
</variablelist>
351
501
</refsect1>
352
353
<refsect1 id="file">
502
503
<refsect1 id="files">
354
504
<title>FILES</title>
355
505
<para>
356
506
Use the <option>--configdir</option> option to change where
379
529
</listitem>
380
530
</varlistentry>
381
531
<varlistentry>
382
<term><filename>/var/run/mandos/mandos.pid</filename></term>
383
<listitem>
384
<para>
385
The file containing the process id of
386
<command>&COMMANDNAME;</command>.
387
</para>
388
</listitem>
389
</varlistentry>
390
<varlistentry>
391
<term><filename>/dev/log</filename></term>
532
<term><filename>/run/mandos.pid</filename></term>
533
<listitem>
534
<para>
535
The file containing the process id of the
536
<command>&COMMANDNAME;</command> process started last.
537
<emphasis >Note:</emphasis> If the <filename
538
class="directory">/run</filename> directory does not
539
exist, <filename>/var/run/mandos.pid</filename> will be
540
used instead.
541
</para>
542
</listitem>
543
</varlistentry>
544
<varlistentry>
545
<term><filename
546
class="directory">/var/lib/mandos</filename></term>
547
<listitem>
548
<para>
549
Directory where persistent state will be saved. Change
550
this with the <option>--statedir</option> option. See
551
also the <option>--no-restore</option> option.
552
</para>
553
</listitem>
554
</varlistentry>
555
<varlistentry>
556
<term><filename class="devicefile">/dev/log</filename></term>
392
557
<listitem>
393
558
<para>
394
559
The Unix domain socket to where local syslog messages are
417
582
backtrace. This could be considered a feature.
418
583
</para>
419
584
<para>
420
Currently, if a client is declared <quote>invalid</quote> due to
421
having timed out, the server does not record this fact onto
422
permanent storage. This has some security implications, see
423
<xref linkend="CLIENTS"/>.
424
</para>
425
<para>
426
There is currently no way of querying the server of the current
427
status of clients, other than analyzing its <systemitem
428
class="service">syslog</systemitem> output.
429
</para>
430
<para>
431
585
There is no fine-grained control over logging and debug output.
432
586
</para>
433
587
<para>
434
Debug mode is conflated with running in the foreground.
435
</para>
436
<para>
437
The console log messages does not show a time stamp.
438
</para>
439
<para>
440
588
This server does not check the expire time of clients’ OpenPGP
441
589
keys.
442
590
</para>
591
<xi:include href="bugs.xml"/>
443
592
</refsect1>
444
593
445
594
<refsect1 id="example">
455
604
<informalexample>
456
605
<para>
457
606
Run the server in debug mode, read configuration files from
458
the <filename>~/mandos</filename> directory, and use the
459
Zeroconf service name <quote>Test</quote> to not collide with
460
any other official Mandos server on this host:
607
the <filename class="directory">~/mandos</filename> directory,
608
and use the Zeroconf service name <quote>Test</quote> to not
609
collide with any other official Mandos server on this host:
461
610
</para>
462
611
<para>
463
612
479
628
</para>
480
629
</informalexample>
481
630
</refsect1>
482
631
483
632
<refsect1 id="security">
484
633
<title>SECURITY</title>
485
<refsect2 id="SERVER">
634
<refsect2 id="server">
486
635
<title>SERVER</title>
487
636
<para>
488
637
Running this <command>&COMMANDNAME;</command> server program
489
638
should not in itself present any security risk to the host
490
computer running it. The program does not need any special
491
privileges to run, and is designed to run as a non-root user.
639
computer running it. The program switches to a non-root user
640
soon after startup.
492
641
</para>
493
642
</refsect2>
494
<refsect2 id="CLIENTS">
643
<refsect2 id="clients">
495
644
<title>CLIENTS</title>
496
645
<para>
497
646
The server only gives out its stored data to clients which
504
653
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
505
654
<manvolnum>5</manvolnum></citerefentry>)
506
655
<emphasis>must</emphasis> be made non-readable by anyone
507
except the user running the server.
656
except the user starting the server (usually root).
508
657
</para>
509
658
<para>
510
659
As detailed in <xref linkend="checking"/>, the status of all
512
661
compromised if they are gone for too long.
513
662
</para>
514
663
<para>
515
If a client is compromised, its downtime should be duly noted
516
by the server which would therefore declare the client
517
invalid. But if the server was ever restarted, it would
518
re-read its client list from its configuration file and again
519
regard all clients therein as valid, and hence eligible to
520
receive their passwords. Therefore, be careful when
521
restarting servers if it is suspected that a client has, in
522
fact, been compromised by parties who may now be running a
523
fake Mandos client with the keys from the non-encrypted
524
initial <acronym>RAM</acronym> image of the client host. What
525
should be done in that case (if restarting the server program
526
really is necessary) is to stop the server program, edit the
527
configuration file to omit any suspect clients, and restart
528
the server program.
529
</para>
530
<para>
531
664
For more details on client-side security, see
532
<citerefentry><refentrytitle>password-request</refentrytitle>
665
<citerefentry><refentrytitle>mandos-client</refentrytitle>
533
666
<manvolnum>8mandos</manvolnum></citerefentry>.
534
667
</para>
535
668
</refsect2>
536
669
</refsect1>
537
670
538
671
<refsect1 id="see_also">
539
672
<title>SEE ALSO</title>
540
673
<para>
541
<citerefentry>
542
<refentrytitle>mandos-clients.conf</refentrytitle>
543
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
<refentrytitle>mandos.conf</refentrytitle>
545
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
<refentrytitle>password-request</refentrytitle>
547
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
549
</citerefentry>
674
<citerefentry><refentrytitle>intro</refentrytitle>
675
<manvolnum>8mandos</manvolnum></citerefentry>,
676
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
677
<manvolnum>5</manvolnum></citerefentry>,
678
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
679
<manvolnum>5</manvolnum></citerefentry>,
680
<citerefentry><refentrytitle>mandos-client</refentrytitle>
681
<manvolnum>8mandos</manvolnum></citerefentry>,
682
<citerefentry><refentrytitle>sh</refentrytitle>
683
<manvolnum>1</manvolnum></citerefentry>
550
684
</para>
551
685
<variablelist>
552
686
<varlistentry>
573
707
</varlistentry>
574
708
<varlistentry>
575
709
<term>
576
<ulink url="http://www.gnu.org/software/gnutls/"
577
>GnuTLS</ulink>
710
<ulink url="http://gnutls.org/">GnuTLS</ulink>
578
711
</term>
579
712
<listitem>
580
713
<para>
618
751
</varlistentry>
619
752
<varlistentry>
620
753
<term>
621
RFC 4346: <citetitle>The Transport Layer Security (TLS)
622
Protocol Version 1.1</citetitle>
754
RFC 5246: <citetitle>The Transport Layer Security (TLS)
755
Protocol Version 1.2</citetitle>
623
756
</term>
624
757
<listitem>
625
758
<para>
626
TLS 1.1 is the protocol implemented by GnuTLS.
759
TLS 1.2 is the protocol implemented by GnuTLS.
627
760
</para>
628
761
</listitem>
629
762
</varlistentry>
639
772
</varlistentry>
640
773
<varlistentry>
641
774
<term>
642
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
643
Security</citetitle>
775
RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
776
Security (TLS) Authentication</citetitle>
644
777
</term>
645
778
<listitem>
646
779
<para>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0