To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 900
- compare with another revision
- download diff
- download tarball
- view history from revision 900
- Committer: Teddy Hogeborn
- Date: 2017-02-23 21:14:58 UTC
- mfrom: (237.4.90 release)
- Revision ID: teddy@recompile.se-20170223211458-2rv7ec5bxmk4ts81
Merge from release branch
- files added:
- DBUS-API
- debian/source
- debian/upstream
- network-hooks.d
- plugin-helpers
- files modified:
- .bzrignore
added
removed
mandos.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos">
5
<!ENTITY TIMESTAMP "2009-09-10">
5
<!ENTITY TIMESTAMP "2017-02-23">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
<firstname>Björn</firstname>
20
20
<surname>Påhlsson</surname>
21
21
<address>
22
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
23
23
</address>
24
24
</author>
25
25
<author>
26
26
<firstname>Teddy</firstname>
27
27
<surname>Hogeborn</surname>
28
28
<address>
29
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
30
30
</address>
31
31
</author>
32
32
</authorgroup>
33
33
<copyright>
34
34
<year>2008</year>
35
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
38
<year>2012</year>
39
<year>2013</year>
40
<year>2014</year>
41
<year>2015</year>
42
<year>2016</year>
43
<year>2017</year>
36
44
<holder>Teddy Hogeborn</holder>
37
45
<holder>Björn Påhlsson</holder>
38
46
</copyright>
86
94
<sbr/>
87
95
<arg><option>--debug</option></arg>
88
96
<sbr/>
97
<arg><option>--debuglevel
98
<replaceable>LEVEL</replaceable></option></arg>
99
<sbr/>
89
100
<arg><option>--no-dbus</option></arg>
90
101
<sbr/>
91
102
<arg><option>--no-ipv6</option></arg>
103
<sbr/>
104
<arg><option>--no-restore</option></arg>
105
<sbr/>
106
<arg><option>--statedir
107
<replaceable>DIRECTORY</replaceable></option></arg>
108
<sbr/>
109
<arg><option>--socket
110
<replaceable>FD</replaceable></option></arg>
111
<sbr/>
112
<arg><option>--foreground</option></arg>
113
<sbr/>
114
<arg><option>--no-zeroconf</option></arg>
92
115
</cmdsynopsis>
93
116
<cmdsynopsis>
94
117
<command>&COMMANDNAME;</command>
112
135
<para>
113
136
<command>&COMMANDNAME;</command> is a server daemon which
114
137
handles incoming request for passwords for a pre-defined list of
115
client host computers. The Mandos server uses Zeroconf to
116
announce itself on the local network, and uses TLS to
117
communicate securely with and to authenticate the clients. The
118
Mandos server uses IPv6 to allow Mandos clients to use IPv6
119
link-local addresses, since the clients will probably not have
120
any other addresses configured (see <xref linkend="overview"/>).
121
Any authenticated client is then given the stored pre-encrypted
122
password for that specific client.
138
client host computers. For an introduction, see
139
<citerefentry><refentrytitle>intro</refentrytitle>
140
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
141
uses Zeroconf to announce itself on the local network, and uses
142
TLS to communicate securely with and to authenticate the
143
clients. The Mandos server uses IPv6 to allow Mandos clients to
144
use IPv6 link-local addresses, since the clients will probably
145
not have any other addresses configured (see <xref
146
linkend="overview"/>). Any authenticated client is then given
147
the stored pre-encrypted password for that specific client.
123
148
</para>
124
149
</refsect1>
125
150
194
219
</varlistentry>
195
220
196
221
<varlistentry>
222
<term><option>--debuglevel
223
<replaceable>LEVEL</replaceable></option></term>
224
<listitem>
225
<para>
226
Set the debugging log level.
227
<replaceable>LEVEL</replaceable> is a string, one of
228
<quote><literal>CRITICAL</literal></quote>,
229
<quote><literal>ERROR</literal></quote>,
230
<quote><literal>WARNING</literal></quote>,
231
<quote><literal>INFO</literal></quote>, or
232
<quote><literal>DEBUG</literal></quote>, in order of
233
increasing verbosity. The default level is
234
<quote><literal>WARNING</literal></quote>.
235
</para>
236
</listitem>
237
</varlistentry>
238
239
<varlistentry>
197
240
<term><option>--priority <replaceable>
198
241
PRIORITY</replaceable></option></term>
199
242
<listitem>
250
293
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
251
294
</listitem>
252
295
</varlistentry>
296
297
<varlistentry>
298
<term><option>--no-restore</option></term>
299
<listitem>
300
<xi:include href="mandos-options.xml" xpointer="restore"/>
301
<para>
302
See also <xref linkend="persistent_state"/>.
303
</para>
304
</listitem>
305
</varlistentry>
306
307
<varlistentry>
308
<term><option>--statedir
309
<replaceable>DIRECTORY</replaceable></option></term>
310
<listitem>
311
<xi:include href="mandos-options.xml" xpointer="statedir"/>
312
</listitem>
313
</varlistentry>
314
315
<varlistentry>
316
<term><option>--socket
317
<replaceable>FD</replaceable></option></term>
318
<listitem>
319
<xi:include href="mandos-options.xml" xpointer="socket"/>
320
</listitem>
321
</varlistentry>
322
323
<varlistentry>
324
<term><option>--foreground</option></term>
325
<listitem>
326
<xi:include href="mandos-options.xml"
327
xpointer="foreground"/>
328
</listitem>
329
</varlistentry>
330
331
<varlistentry>
332
<term><option>--no-zeroconf</option></term>
333
<listitem>
334
<xi:include href="mandos-options.xml" xpointer="zeroconf"/>
335
</listitem>
336
</varlistentry>
337
253
338
</variablelist>
254
339
</refsect1>
255
340
329
414
for some time, the client is assumed to be compromised and is no
330
415
longer eligible to receive the encrypted password. (Manual
331
416
intervention is required to re-enable a client.) The timeout,
332
checker program, and interval between checks can be configured
333
both globally and per client; see <citerefentry>
417
extended timeout, checker program, and interval between checks
418
can be configured both globally and per client; see
419
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
420
<manvolnum>5</manvolnum></citerefentry>.
421
</para>
422
</refsect1>
423
424
<refsect1 id="approval">
425
<title>APPROVAL</title>
426
<para>
427
The server can be configured to require manual approval for a
428
client before it is sent its secret. The delay to wait for such
429
approval and the default action (approve or deny) can be
430
configured both globally and per client; see <citerefentry>
334
431
<refentrytitle>mandos-clients.conf</refentrytitle>
335
<manvolnum>5</manvolnum></citerefentry>.
336
</para>
432
<manvolnum>5</manvolnum></citerefentry>. By default all clients
433
will be approved immediately without delay.
434
</para>
435
<para>
436
This can be used to deny a client its secret if not manually
437
approved within a specified time. It can also be used to make
438
the server delay before giving a client its secret, allowing
439
optional manual denying of this specific client.
440
</para>
441
337
442
</refsect1>
338
443
339
444
<refsect1 id="logging">
340
445
<title>LOGGING</title>
341
446
<para>
342
447
The server will send log message with various severity levels to
343
<filename>/dev/log</filename>. With the
448
<filename class="devicefile">/dev/log</filename>. With the
344
449
<option>--debug</option> option, it will log even more messages,
345
450
and also show them on the console.
346
451
</para>
347
452
</refsect1>
348
453
454
<refsect1 id="persistent_state">
455
<title>PERSISTENT STATE</title>
456
<para>
457
Client settings, initially read from
458
<filename>clients.conf</filename>, are persistent across
459
restarts, and run-time changes will override settings in
460
<filename>clients.conf</filename>. However, if a setting is
461
<emphasis>changed</emphasis> (or a client added, or removed) in
462
<filename>clients.conf</filename>, this will take precedence.
463
</para>
464
</refsect1>
465
349
466
<refsect1 id="dbus_interface">
350
467
<title>D-BUS INTERFACE</title>
351
468
<para>
352
469
The server will by default provide a D-Bus system bus interface.
353
470
This interface will only be accessible by the root user or a
354
Mandos-specific user, if such a user exists.
355
<!-- XXX -->
471
Mandos-specific user, if such a user exists. For documentation
472
of the D-Bus API, see the file <filename>DBUS-API</filename>.
356
473
</para>
357
474
</refsect1>
358
475
413
530
</listitem>
414
531
</varlistentry>
415
532
<varlistentry>
416
<term><filename>/var/run/mandos.pid</filename></term>
417
<listitem>
418
<para>
419
The file containing the process id of
420
<command>&COMMANDNAME;</command>.
421
</para>
422
</listitem>
423
</varlistentry>
424
<varlistentry>
425
<term><filename>/dev/log</filename></term>
533
<term><filename>/run/mandos.pid</filename></term>
534
<listitem>
535
<para>
536
The file containing the process id of the
537
<command>&COMMANDNAME;</command> process started last.
538
<emphasis >Note:</emphasis> If the <filename
539
class="directory">/run</filename> directory does not
540
exist, <filename>/var/run/mandos.pid</filename> will be
541
used instead.
542
</para>
543
</listitem>
544
</varlistentry>
545
<varlistentry>
546
<term><filename
547
class="directory">/var/lib/mandos</filename></term>
548
<listitem>
549
<para>
550
Directory where persistent state will be saved. Change
551
this with the <option>--statedir</option> option. See
552
also the <option>--no-restore</option> option.
553
</para>
554
</listitem>
555
</varlistentry>
556
<varlistentry>
557
<term><filename class="devicefile">/dev/log</filename></term>
426
558
<listitem>
427
559
<para>
428
560
The Unix domain socket to where local syslog messages are
451
583
backtrace. This could be considered a feature.
452
584
</para>
453
585
<para>
454
Currently, if a client is declared <quote>invalid</quote> due to
455
having timed out, the server does not record this fact onto
456
permanent storage. This has some security implications, see
457
<xref linkend="clients"/>.
458
</para>
459
<para>
460
There is currently no way of querying the server of the current
461
status of clients, other than analyzing its <systemitem
462
class="service">syslog</systemitem> output.
463
</para>
464
<para>
465
586
There is no fine-grained control over logging and debug output.
466
587
</para>
467
588
<para>
468
Debug mode is conflated with running in the foreground.
469
</para>
470
<para>
471
The console log messages do not show a time stamp.
472
</para>
473
<para>
474
589
This server does not check the expire time of clients’ OpenPGP
475
590
keys.
476
591
</para>
592
<xi:include href="bugs.xml"/>
477
593
</refsect1>
478
594
479
595
<refsect1 id="example">
489
605
<informalexample>
490
606
<para>
491
607
Run the server in debug mode, read configuration files from
492
the <filename>~/mandos</filename> directory, and use the
493
Zeroconf service name <quote>Test</quote> to not collide with
494
any other official Mandos server on this host:
608
the <filename class="directory">~/mandos</filename> directory,
609
and use the Zeroconf service name <quote>Test</quote> to not
610
collide with any other official Mandos server on this host:
495
611
</para>
496
612
<para>
497
613
546
662
compromised if they are gone for too long.
547
663
</para>
548
664
<para>
549
If a client is compromised, its downtime should be duly noted
550
by the server which would therefore declare the client
551
invalid. But if the server was ever restarted, it would
552
re-read its client list from its configuration file and again
553
regard all clients therein as valid, and hence eligible to
554
receive their passwords. Therefore, be careful when
555
restarting servers if it is suspected that a client has, in
556
fact, been compromised by parties who may now be running a
557
fake Mandos client with the keys from the non-encrypted
558
initial <acronym>RAM</acronym> image of the client host. What
559
should be done in that case (if restarting the server program
560
really is necessary) is to stop the server program, edit the
561
configuration file to omit any suspect clients, and restart
562
the server program.
563
</para>
564
<para>
565
665
For more details on client-side security, see
566
666
<citerefentry><refentrytitle>mandos-client</refentrytitle>
567
667
<manvolnum>8mandos</manvolnum></citerefentry>.
572
672
<refsect1 id="see_also">
573
673
<title>SEE ALSO</title>
574
674
<para>
575
<citerefentry>
576
<refentrytitle>mandos-clients.conf</refentrytitle>
577
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
578
<refentrytitle>mandos.conf</refentrytitle>
579
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
580
<refentrytitle>mandos-client</refentrytitle>
581
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
582
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
583
</citerefentry>
675
<citerefentry><refentrytitle>intro</refentrytitle>
676
<manvolnum>8mandos</manvolnum></citerefentry>,
677
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
678
<manvolnum>5</manvolnum></citerefentry>,
679
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
680
<manvolnum>5</manvolnum></citerefentry>,
681
<citerefentry><refentrytitle>mandos-client</refentrytitle>
682
<manvolnum>8mandos</manvolnum></citerefentry>,
683
<citerefentry><refentrytitle>sh</refentrytitle>
684
<manvolnum>1</manvolnum></citerefentry>
584
685
</para>
585
686
<variablelist>
586
687
<varlistentry>
607
708
</varlistentry>
608
709
<varlistentry>
609
710
<term>
610
<ulink url="http://www.gnu.org/software/gnutls/"
611
>GnuTLS</ulink>
711
<ulink url="https://gnutls.org/">GnuTLS</ulink>
612
712
</term>
613
713
<listitem>
614
714
<para>
652
752
</varlistentry>
653
753
<varlistentry>
654
754
<term>
655
RFC 4346: <citetitle>The Transport Layer Security (TLS)
656
Protocol Version 1.1</citetitle>
755
RFC 5246: <citetitle>The Transport Layer Security (TLS)
756
Protocol Version 1.2</citetitle>
657
757
</term>
658
758
<listitem>
659
759
<para>
660
TLS 1.1 is the protocol implemented by GnuTLS.
760
TLS 1.2 is the protocol implemented by GnuTLS.
661
761
</para>
662
762
</listitem>
663
763
</varlistentry>
673
773
</varlistentry>
674
774
<varlistentry>
675
775
<term>
676
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
677
Security</citetitle>
776
RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
777
Security (TLS) Authentication</citetitle>
678
778
</term>
679
779
<listitem>
680
780
<para>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0