/mandos/trunk : revision 907

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2017-08-20 16:20:54 UTC
Revision ID: teddy@recompile.se-20170820162054-jwig602syxx2k4l0

Alter copyright notices slightly.  Actual license is unchanged!

This alters all copyright notices to use the Free Software
Foundation's recommendations for license notices; from
<https://www.gnu.org/licenses/gpl-howto.html>:

  For programs that are more than one file, it is better to replace
  “this program” with the name of the program, and begin the statement
  with a line saying “This file is part of NAME”.

* DBUS-API: Use program name "Mandos" explicitly in license notice.
* debian/copyright: - '' -
* initramfs-unpack: - '' -
* legalnotice.xml: - '' -
* mandos: - '' -
* mandos-ctl: - '' -
* mandos-keygen: - '' -
* mandos-monitor: - '' -
* plugin-helpers/mandos-client-iprouteadddel.c: - '' -
* plugin-runner.c: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/plymouth.c: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/usplash.c: - '' -

files added:
initramfs-tools-hook-conf

files removed:
initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files modified:
DBUS-API

INSTALL

Makefile

NEWS

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2019-02-09">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--tls-privkey

100

101

<arg choice="plain"><option>-t

102

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--tls-pubkey

107

108

<arg choice="plain"><option>-T

109

110

</group>

111

<sbr/>

112

<arg>

113

<option>--priority <replaceable>STRING</replaceable></option>

114

</arg>

168

153

brings up network interfaces, uses the interfaces’ IPv6

169

154

link-local addresses to get network connectivity, uses Zeroconf

170

155

to find servers on the local network, and communicates with

171

servers using TLS with a raw public key to ensure authenticity

172

and confidentiality. This client program keeps running, trying

173

all servers on the network, until it receives a satisfactory

174

reply or a TERM signal. After all servers have been tried, all

156

servers using TLS with an OpenPGP key to ensure authenticity and

157

confidentiality. This client program keeps running, trying all

158

servers on the network, until it receives a satisfactory reply

159

or a TERM signal. After all servers have been tried, all

175

160

servers are periodically retried. If no servers are found it

176

161

will wait indefinitely for new servers to appear.

177

162

</para>

321

306

</varlistentry>

322

307

323

308

324

<term><option>--tls-pubkey=<replaceable

325

>FILE</replaceable></option></term>

326

<term><option>-T

327

328

329

<para>

330

TLS raw public key file name. The default name is

331

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

332

></quote>.

333

</para>

334

</listitem>

335

</varlistentry>

336

337

338

<term><option>--tls-privkey=<replaceable

339

>FILE</replaceable></option></term>

340

<term><option>-t

341

342

343

<para>

344

TLS secret key file name. The default name is

345

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

346

></quote>.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

352

309

<term><option>--priority=<replaceable

353

310

>STRING</replaceable></option></term>

354

311

364

321

<para>

365

322

Sets the number of bits to use for the prime number in the

366

323

TLS Diffie-Hellman key exchange. The default value is

367

selected automatically based on the GnuTLS security

368

profile set in its priority string. Note that if the

369

<option>--dh-params</option> option is used, the values

370

from that file will be used instead.

324

selected automatically based on the OpenPGP key. Note

325

that if the <option>--dh-params</option> option is used,

326

the values from that file will be used instead.

371

327

</para>

372

328

</listitem>

373

329

</varlistentry>

725

681

</listitem>

726

682

</varlistentry>

727

683

728

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

729

></term>

730

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

731

></term>

732

733

<para>

734

Public and private raw key files, in <quote>PEM</quote>

735

format. These are the default file names, they can be

736

changed with the <option>--tls-pubkey</option> and

737

<option>--tls-privkey</option> options.

738

</para>

739

</listitem>

740

</varlistentry>

741

742

684

<term><filename

743

685

class="directory">/lib/mandos/network-hooks.d</filename></term>

744

686

786

728

</informalexample>

787

729

788

730

<para>

789

Run in debug mode, and use custom keys:

731

Run in debug mode, and use a custom key:

790

732

</para>

791

733

<para>

792

734

793

735

794

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

736

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

795

737

796

738

</para>

797

739

</informalexample>

798

740

799

741

<para>

800

Run in debug mode, with custom keys, and do not use Zeroconf

742

Run in debug mode, with a custom key, and do not use Zeroconf

801

743

to locate a server; connect directly to the IPv6 link-local

802

744

address <quote><systemitem class="ipaddress"

803

745

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

806

748

<para>

807

749

808

750

809

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

751

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

810

752

811

753

</para>

812

754

</informalexample>

836

778

<para>

837

779

The only remaining weak point is that someone with physical

838

780

access to the client hard drive might turn off the client

839

computer, read the OpenPGP and TLS keys directly from the hard

840

drive, and communicate with the server. To safeguard against

841

this, the server is supposed to notice the client disappearing

842

and stop giving out the encrypted data. Therefore, it is

843

important to set the timeout and checker interval values tightly

844

on the server. See <citerefentry><refentrytitle

781

computer, read the OpenPGP keys directly from the hard drive,

782

and communicate with the server. To safeguard against this, the

783

server is supposed to notice the client disappearing and stop

784

giving out the encrypted data. Therefore, it is important to

785

set the timeout and checker interval values tightly on the

786

server. See <citerefentry><refentrytitle

845

787

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

846

788

</para>

847

789

<para>

907

849

<para>

908

850

GnuTLS is the library this client uses to implement TLS for

909

851

communicating securely with the server, and at the same time

910

send the public key to the server.

852

send the public OpenPGP key to the server.

911

853

</para>

912

854

</listitem>

913

855

</varlistentry>

979

921

</varlistentry>

980

922

981

923

<term>

982

RFC 7250: <citetitle>Using Raw Public Keys in Transport

983

Layer Security (TLS) and Datagram Transport Layer Security

984

(DTLS)</citetitle>

985

</term>

986

987

<para>

988

This is implemented by GnuTLS in version 3.6.6 and is, if

989

present, used by this program so that raw public keys can be

990

used.

991

</para>

992

</listitem>

993

</varlistentry>

994

995

<term>

996

924

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

997

925

Security</citetitle>

998

926

</term>

999

927

1000

928

<para>

1001

This is implemented by GnuTLS before version 3.6.0 and is,

1002

if present, used by this program so that OpenPGP keys can be

1003

used.

929

This is implemented by GnuTLS and used by this program so

930

that OpenPGP keys can be used.

1004

931

</para>

1005

932

</listitem>

1006

933

</varlistentry>

Older »