/mandos/trunk : revision 905

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2017-08-20 14:14:14 UTC
Revision ID: teddy@recompile.se-20170820141414-m034xuebg7ccaeui

Add some more restrictions to the systemd service file.

* mandos.service ([Service]/ProtectKernelTunables): New; set to "yes".
([Service]/ProtectControlGroups): - '' -

files added:
initramfs-tools-hook-conf

files removed:
debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

169

153

brings up network interfaces, uses the interfaces’ IPv6

170

154

link-local addresses to get network connectivity, uses Zeroconf

171

155

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

156

servers using TLS with an OpenPGP key to ensure authenticity and

157

confidentiality. This client program keeps running, trying all

158

servers on the network, until it receives a satisfactory reply

159

or a TERM signal. After all servers have been tried, all

176

160

servers are periodically retried. If no servers are found it

177

161

will wait indefinitely for new servers to appear.

178

162

</para>

196

180

</para>

197

181

<para>

198

182

This program is not meant to be run directly; it is really meant

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

183

to run as a plugin of the <application>Mandos</application>

184

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

185

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

186

initial <acronym>RAM</acronym> disk environment because it is

187

specified as a <quote>keyscript</quote> in the <citerefentry>

188

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

189

</citerefentry> file.

202

190

</para>

203

191

</refsect1>

204

192

216

204

<title>OPTIONS</title>

217

205

<para>

218

206

This program is commonly not invoked from the command line; it

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

207

is normally started by the <application>Mandos</application>

208

plugin runner, see <citerefentry><refentrytitle

209

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

210

</citerefentry>. Any command line options this program accepts

211

are therefore normally provided by the plugin runner, and not

212

directly.

223

213

</para>

224

214

225

215

316

306

</varlistentry>

317

307

318

308

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

309

<term><option>--priority=<replaceable

348

310

>STRING</replaceable></option></term>

349

311

359

321

<para>

360

322

Sets the number of bits to use for the prime number in the

361

323

TLS Diffie-Hellman key exchange. The default value is

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

324

selected automatically based on the OpenPGP key. Note

325

that if the <option>--dh-params</option> option is used,

326

the values from that file will be used instead.

366

327

</para>

367

328

</listitem>

368

329

</varlistentry>

476

437

<title>OVERVIEW</title>

477

438

<xi:include href="../overview.xml"/>

478

439

<para>

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

440

This program is the client part. It is a plugin started by

441

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

442

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

443

an initial <acronym>RAM</acronym> disk environment.

504

444

</para>

505

445

<para>

506

446

This program could, theoretically, be used as a keyscript in

507

447

<filename>/etc/crypttab</filename>, but it would then be

508

448

impossible to enter a password for the encrypted root disk at

509

449

the console, since this program does not read from the console

510

at all.

450

at all. This is why a separate plugin runner (<citerefentry>

451

<refentrytitle>plugin-runner</refentrytitle>

452

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

453

both this program and others in in parallel,

454

<emphasis>one</emphasis> of which (<citerefentry>

455

<refentrytitle>password-prompt</refentrytitle>

456

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

457

passwords on the system console.

511

458

</para>

512

459

</refsect1>

513

460

533

480

<para>

534

481

This environment variable will be assumed to contain the

535

482

directory containing any helper executables. The use and

536

nature of these helper executables, if any, is purposely

537

not documented.

483

nature of these helper executables, if any, is

484

purposefully not documented.

538

485

</para>

539

486

</listitem>

540

487

</varlistentry>

734

681

</listitem>

735

682

</varlistentry>

736

683

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

751

684

<term><filename

752

685

class="directory">/lib/mandos/network-hooks.d</filename></term>

753

686

770

703

<title>EXAMPLE</title>

771

704

<para>

772

705

Note that normally, command line options will not be given

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

706

directly, but via options for the Mandos <citerefentry

707

><refentrytitle>plugin-runner</refentrytitle>

708

<manvolnum>8mandos</manvolnum></citerefentry>.

775

709

</para>

776

710

777

711

<para>

794

728

</informalexample>

795

729

796

730

<para>

797

Run in debug mode, and use custom keys:

731

Run in debug mode, and use a custom key:

798

732

</para>

799

733

<para>

800

734

801

735

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

736

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

803

737

804

738

</para>

805

739

</informalexample>

806

740

807

741

<para>

808

Run in debug mode, with custom keys, and do not use Zeroconf

742

Run in debug mode, with a custom key, and do not use Zeroconf

809

743

to locate a server; connect directly to the IPv6 link-local

810

744

address <quote><systemitem class="ipaddress"

811

745

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

814

748

<para>

815

749

816

750

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

751

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

818

752

819

753

</para>

820

754

</informalexample>

823

757

824

758

<title>SECURITY</title>

825

759

<para>

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

760

This program is set-uid to root, but will switch back to the

761

original (and presumably non-privileged) user and group after

762

bringing up the network interface.

829

763

</para>

830

764

<para>

831

765

To use this program for its intended purpose (see <xref

844

778

<para>

845

779

The only remaining weak point is that someone with physical

846

780

access to the client hard drive might turn off the client

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

781

computer, read the OpenPGP keys directly from the hard drive,

782

and communicate with the server. To safeguard against this, the

783

server is supposed to notice the client disappearing and stop

784

giving out the encrypted data. Therefore, it is important to

785

set the timeout and checker interval values tightly on the

786

server. See <citerefentry><refentrytitle

853

787

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

854

788

</para>

855

789

<para>

879

813

<manvolnum>5</manvolnum></citerefentry>,

880

814

<citerefentry><refentrytitle>mandos</refentrytitle>

881

815

<manvolnum>8</manvolnum></citerefentry>,

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

816

<citerefentry><refentrytitle>password-prompt</refentrytitle>

883

817

<manvolnum>8mandos</manvolnum></citerefentry>,

884

818

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

885

819

<manvolnum>8mandos</manvolnum></citerefentry>

898

832

</varlistentry>

899

833

900

834

<term>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

835

<ulink url="http://www.avahi.org/">Avahi</ulink>

902

836

</term>

903

837

904

838

<para>

915

849

<para>

916

850

GnuTLS is the library this client uses to implement TLS for

917

851

communicating securely with the server, and at the same time

918

send the public key to the server.

852

send the public OpenPGP key to the server.

919

853

</para>

920

854

</listitem>

921

855

</varlistentry>

987

921

</varlistentry>

988

922

989

923

<term>

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

924

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

1005

925

Security</citetitle>

1006

926

</term>

1007

927

1008

928

<para>

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

929

This is implemented by GnuTLS and used by this program so

930

that OpenPGP keys can be used.

1012

931

</para>

1013

932

</listitem>

1014

933

</varlistentry>

Older »