/mandos/trunk : revision 848

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2016-06-03 17:18:46 UTC
Revision ID: teddy@recompile.se-20160603171846-zr11h4gshlkgoona

mandos-keygen: Try to use ECDSA keys with ssh-keyscan(1) by default.

* mandos-keygen (password): Add "ecdsa-sha2-nistp256" first in list of
SSH key types to try to scan for.

files added:
bugs.xml

debian/mandos-client.examples

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2011-10-03">

<!ENTITY TIMESTAMP "2016-03-05">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

101

102

<sbr/>

103

<arg><option>--no-restore</option></arg>

104

<sbr/>

105

<arg><option>--statedir

106

<replaceable>DIRECTORY</replaceable></option></arg>

107

<sbr/>

108

<arg><option>--socket

109

110

<sbr/>

111

<arg><option>--foreground</option></arg>

112

<sbr/>

113

<arg><option>--no-zeroconf</option></arg>

114

</cmdsynopsis>

100

115

101

116

<command>&COMMANDNAME;</command>

282

297

<term><option>--no-restore</option></term>

283

298

284

299

<xi:include href="mandos-options.xml" xpointer="restore"/>

285

</listitem>

286

</varlistentry>

300

<para>

301

See also <xref linkend="persistent_state"/>.

302

</para>

303

</listitem>

304

</varlistentry>

305

306

307

<term><option>--statedir

308

<replaceable>DIRECTORY</replaceable></option></term>

309

310

<xi:include href="mandos-options.xml" xpointer="statedir"/>

311

</listitem>

312

</varlistentry>

313

314

315

<term><option>--socket

316

317

318

<xi:include href="mandos-options.xml" xpointer="socket"/>

319

</listitem>

320

</varlistentry>

321

322

323

<term><option>--foreground</option></term>

324

325

<xi:include href="mandos-options.xml"

326

xpointer="foreground"/>

327

</listitem>

328

</varlistentry>

329

330

331

<term><option>--no-zeroconf</option></term>

332

333

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

334

</listitem>

335

</varlistentry>

336

287

337

</variablelist>

288

338

</refsect1>

289

339

366

416

extended timeout, checker program, and interval between checks

367

417

can be configured both globally and per client; see

368

418

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

369

<manvolnum>5</manvolnum></citerefentry>. A client successfully

370

receiving its password will also be treated as a successful

371

checker run.

419

<manvolnum>5</manvolnum></citerefentry>.

372

420

</para>

373

421

</refsect1>

374

422

396

444

<title>LOGGING</title>

397

445

<para>

398

446

The server will send log message with various severity levels to

399

<filename>/dev/log</filename>. With the

447

<filename class="devicefile">/dev/log</filename>. With the

400

448

<option>--debug</option> option, it will log even more messages,

401

449

and also show them on the console.

402

450

</para>

403

451

</refsect1>

404

452

453

454

<title>PERSISTENT STATE</title>

455

<para>

456

Client settings, initially read from

457

<filename>clients.conf</filename>, are persistent across

458

restarts, and run-time changes will override settings in

459

<filename>clients.conf</filename>. However, if a setting is

460

<emphasis>changed</emphasis> (or a client added, or removed) in

461

<filename>clients.conf</filename>, this will take precedence.

462

</para>

463

</refsect1>

464

405

465

406

466

<title>D-BUS INTERFACE</title>

407

467

<para>

469

529

</listitem>

470

530

</varlistentry>

471

531

472

<term><filename>/var/run/mandos.pid</filename></term>

532

<term><filename>/run/mandos.pid</filename></term>

473

533

474

534

<para>

475

535

The file containing the process id of the

476

536

<command>&COMMANDNAME;</command> process started last.

477

</para>

478

</listitem>

479

</varlistentry>

480

481

537

<emphasis >Note:</emphasis> If the <filename

538

class="directory">/run</filename> directory does not

539

exist, <filename>/var/run/mandos.pid</filename> will be

540

used instead.

541

</para>

542

</listitem>

543

</varlistentry>

544

545

<term><filename

546

class="directory">/var/lib/mandos</filename></term>

547

548

<para>

549

Directory where persistent state will be saved. Change

550

this with the <option>--statedir</option> option. See

551

also the <option>--no-restore</option> option.

552

</para>

553

</listitem>

554

</varlistentry>

555

556

482

557

483

558

<para>

484

559

The Unix domain socket to where local syslog messages are

507

582

backtrace. This could be considered a feature.

508

583

</para>

509

584

<para>

510

Currently, if a client is disabled due to having timed out, the

511

server does not record this fact onto permanent storage. This

512

has some security implications, see <xref linkend="clients"/>.

513

</para>

514

<para>

515

585

There is no fine-grained control over logging and debug output.

516

586

</para>

517

587

<para>

518

Debug mode is conflated with running in the foreground.

519

</para>

520

<para>

521

The console log messages do not show a time stamp.

522

</para>

523

<para>

524

588

This server does not check the expire time of clients’ OpenPGP

525

589

keys.

526

590

</para>

591

<xi:include href="bugs.xml"/>

527

592

</refsect1>

528

593

529

594

539

604

540

605

<para>

541

606

Run the server in debug mode, read configuration files from

542

the <filename>~/mandos</filename> directory, and use the

543

Zeroconf service name <quote>Test</quote> to not collide with

544

any other official Mandos server on this host:

607

the <filename class="directory">~/mandos</filename> directory,

608

and use the Zeroconf service name <quote>Test</quote> to not

609

collide with any other official Mandos server on this host:

545

610

</para>

546

611

<para>

547

612

596

661

compromised if they are gone for too long.

597

662

</para>

598

663

<para>

599

If a client is compromised, its downtime should be duly noted

600

by the server which would therefore disable the client. But

601

if the server was ever restarted, it would re-read its client

602

list from its configuration file and again regard all clients

603

therein as enabled, and hence eligible to receive their

604

passwords. Therefore, be careful when restarting servers if

605

it is suspected that a client has, in fact, been compromised

606

by parties who may now be running a fake Mandos client with

607

the keys from the non-encrypted initial <acronym>RAM</acronym>

608

image of the client host. What should be done in that case

609

(if restarting the server program really is necessary) is to

610

stop the server program, edit the configuration file to omit

611

any suspect clients, and restart the server program.

612

</para>

613

<para>

614

664

For more details on client-side security, see

615

665

<citerefentry><refentrytitle>mandos-client</refentrytitle>

616

666

<manvolnum>8mandos</manvolnum></citerefentry>.

657

707

</varlistentry>

658

708

659

709

<term>

660

<ulink url="http://www.gnu.org/software/gnutls/"

661

>GnuTLS</ulink>

710

<ulink url="http://gnutls.org/">GnuTLS</ulink>

662

711

</term>

663

712

664

713

<para>

702

751

</varlistentry>

703

752

704

753

<term>

705

RFC 4346: <citetitle>The Transport Layer Security (TLS)

706

Protocol Version 1.1</citetitle>

754

RFC 5246: <citetitle>The Transport Layer Security (TLS)

755

Protocol Version 1.2</citetitle>

707

756

</term>

708

757

709

758

<para>

710

TLS 1.1 is the protocol implemented by GnuTLS.

759

TLS 1.2 is the protocol implemented by GnuTLS.

711

760

</para>

712

761

</listitem>

713

762

</varlistentry>

723

772

</varlistentry>

724

773

725

774

<term>

726

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

727

Security</citetitle>

775

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

776

Security (TLS) Authentication</citetitle>

728

777

</term>

729

778

730

779

<para>

Older »